Group checking in ldap authorization
I have an ldap module that I want to force to do group checking. Reading the documentation, it seems that there should be an attribute (I'm assuming control?) that should force that check ? i.e. instance-name-Ldap-Group .. I notice that the ldap module seems to have group checking disabled by default. I thought that uncommenting the group config below should enable it ? # # Group membership checking. Disabled by default. # groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))" groupmembership_attribute = radiusGroupName Below is what I have in my authorization section. I update control { ldapADut-Ldap-Group := "cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu" } ldapADut { notfound = reject } Looking at the debug, it seems that there is no attempt to actually do any group checking ? What am I doing wrong ? Thanks, Robert
On 22/03/11 14:24, Robert Roll wrote:
Below is what I have in my authorization section. I
update control { ldapADut-Ldap-Group := "cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu" }
ldapADut { notfound = reject }
Where did you get this from? It's totally wrong. Try: if (Ldap-Group == chemVLAN) { } Ldap-Group (or modname-Ldap-Group) is a "virtual" attribute, that will perform the group membership check when you run a comparison.
The below is out of the .../share/doc/freeradius/rlm_ldap Note that it shows the Ldap_Group variable being set in the users file, but I'm assuming it should not really matter where it gets set ? DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com" Also, the part about the specific instance Ldap-Group is: Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form <instance_name>-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like ... Note, I do not want to test for Ldap_Group, I want to be able to actually set it so it is used within the ldap module ? Thanks, Robert From .../share/doc/freeradius/rlm_ldap -------------------------------------------------------------------------------------------------------- GROUP SUPPORT: The module supports searching for ldap groups by use of the Ldap-Group attribute. As long as the module has been instanciated it can be used to do group membership checks through other modules. For example in the users file: DEFAULT Ldap-Group == "disabled", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" DNs are also accepted as Ldap-Group values, i.e.: DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form <instance_name>-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like: ldap myname { [...] } we can then use the myname-Ldap-Group attribute to match user groups. Make sure though that the ldap module is instantiated *before* the files module so that it will have time to register the corresponding attribute. One solution would be to add the ldap module in the instantiate{} block in radiusd.conf ________________________________________ From: freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org] On Behalf Of Phil Mayers [p.mayers@imperial.ac.uk] Sent: Tuesday, March 22, 2011 8:46 AM To: freeradius-users@lists.freeradius.org Subject: Re: Group checking in ldap authorization On 22/03/11 14:24, Robert Roll wrote:
Below is what I have in my authorization section. I
update control { ldapADut-Ldap-Group := "cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu" }
ldapADut { notfound = reject }
Where did you get this from? It's totally wrong. Try: if (Ldap-Group == chemVLAN) { } Ldap-Group (or modname-Ldap-Group) is a "virtual" attribute, that will perform the group membership check when you run a comparison. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This does seem to work differently than I thought.. My model was something like ntlm_auth, which allows an authentication, but one can also require membership in a group at the same time... i.e. ntlm_auth ... --require-membership-of={SID|Name} What I was really hoping is that I could look someone up in the directory in the user tree, but also then require they be in a particular group. The group would actually have a specific replyItem attribute that would return a VLAN if the user was part of the group... There are other ways of accomplishing this .... Thanks, Robert ________________________________________ From: freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org] On Behalf Of Robert Roll [Robert.Roll@utah.edu] Sent: Tuesday, March 22, 2011 11:21 AM To: FreeRadius users mailing list Subject: RE: Group checking in ldap authorization The below is out of the .../share/doc/freeradius/rlm_ldap Note that it shows the Ldap_Group variable being set in the users file, but I'm assuming it should not really matter where it gets set ? DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com" Also, the part about the specific instance Ldap-Group is: Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form <instance_name>-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like ... Note, I do not want to test for Ldap_Group, I want to be able to actually set it so it is used within the ldap module ? Thanks, Robert From .../share/doc/freeradius/rlm_ldap -------------------------------------------------------------------------------------------------------- GROUP SUPPORT: The module supports searching for ldap groups by use of the Ldap-Group attribute. As long as the module has been instanciated it can be used to do group membership checks through other modules. For example in the users file: DEFAULT Ldap-Group == "disabled", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" DNs are also accepted as Ldap-Group values, i.e.: DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form <instance_name>-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like: ldap myname { [...] } we can then use the myname-Ldap-Group attribute to match user groups. Make sure though that the ldap module is instantiated *before* the files module so that it will have time to register the corresponding attribute. One solution would be to add the ldap module in the instantiate{} block in radiusd.conf ________________________________________ From: freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org] On Behalf Of Phil Mayers [p.mayers@imperial.ac.uk] Sent: Tuesday, March 22, 2011 8:46 AM To: freeradius-users@lists.freeradius.org Subject: Re: Group checking in ldap authorization On 22/03/11 14:24, Robert Roll wrote:
Below is what I have in my authorization section. I
update control { ldapADut-Ldap-Group := "cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu" }
ldapADut { notfound = reject }
Where did you get this from? It's totally wrong. Try: if (Ldap-Group == chemVLAN) { } Ldap-Group (or modname-Ldap-Group) is a "virtual" attribute, that will perform the group membership check when you run a comparison. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 03/22/2011 06:15 PM, Robert Roll wrote:
This does seem to work differently than I thought..
Yeah, like I say: it's a virtual attribute that does the group search when you "compare" it.
My model was something like ntlm_auth, which allows an authentication, but one can also require membership in a group at the same time...
i.e. ntlm_auth ... --require-membership-of={SID|Name}
Nope, different.
What I was really hoping is that I could look someone up in the directory in the user tree, but also then require they be in a particular group. The group would actually have a specific replyItem attribute that would return a VLAN if the user was part of the group...
There are other ways of accomplishing this ....
I think you may want the LDAP "profiles" stuff? Or, use an xlat: update reply { Tunnel-Private-Group-Id = "%{ldap:<ldap query url here>}" }
Thanks for helping me to understand this. I think the way this really works has more utility than what I was thinking. I can actually accomplish what I want using two ldap instance authorizations. One for the User look up, then one for the Group VLAN setting. There were going to be two ldap queries in any case... Thanks, Robert ________________________________________ From: freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org] On Behalf Of Phil Mayers [p.mayers@imperial.ac.uk] Sent: Wednesday, March 23, 2011 3:14 AM To: freeradius-users@lists.freeradius.org Subject: Re: Group checking in ldap authorization On 03/22/2011 06:15 PM, Robert Roll wrote:
This does seem to work differently than I thought..
Yeah, like I say: it's a virtual attribute that does the group search when you "compare" it.
My model was something like ntlm_auth, which allows an authentication, but one can also require membership in a group at the same time...
i.e. ntlm_auth ... --require-membership-of={SID|Name}
Nope, different.
What I was really hoping is that I could look someone up in the directory in the user tree, but also then require they be in a particular group. The group would actually have a specific replyItem attribute that would return a VLAN if the user was part of the group...
There are other ways of accomplishing this ....
I think you may want the LDAP "profiles" stuff? Or, use an xlat: update reply { Tunnel-Private-Group-Id = "%{ldap:<ldap query url here>}" } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robert Roll wrote:
The below is out of the .../share/doc/freeradius/rlm_ldap
Note that it shows the Ldap_Group variable being set in the users file, but I'm assuming it should not really matter where it gets set ?
DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com"
No. See the "man users" page. The above example *compares* the LDAP-Group.
Note, I do not want to test for Ldap_Group, I want to be able to actually set it so it is used within the ldap module ?
You can't set it. It's intended to *check* if a user is a member of a particular LDAP group. Why would you want to set it? You don't have write access to LDAP, to set the group for a user? If you need a temporary place to store a value, don't use LDAP-Group. Use a locally-defined attribute. See raddb/dictionary for documentation. Alan DeKok.
participants (3)
-
Alan DeKok -
Phil Mayers -
Robert Roll