Freeradius with LDAP and in second LDAP Authorization or Proxying
Good Morning i have a problem with the Set-Up i have to do. we have two types of costumers (managed and unmanaged). In our Setup we get all access-requests to the same radius server. In this radius Server then we have to decide if we have to proxying the request (unmanaged costumer) or authorize against our LDAP server (unmanaged costumer). The information if the costumer ist managed/unmanaged along with proxy and user information is in the same ldap and i have to query it first for deciding what to do. Is such a setup possible with freeradius? My specs: Ubuntu 16.04 FreeRADIUS Version 2.2.8 (2.2.8+dfsg-0.1build2 from apt) The basic setup with authorization/authentication against the ldap is running very well, but the extension with the unmanaged costumers give my head ache. I need help to find the right direction to run. Thanks Jörn
Hi,
i have a problem with the Set-Up i have to do. we have two types of costumers (managed and unmanaged). In our Setup we get all access-requests to the same radius server. In this radius Server then we have to decide if we have to proxying the request (unmanaged costumer) or authorize against our LDAP server (unmanaged costumer). The information if the costumer ist managed/unmanaged along with proxy and user information is in the same ldap and i have to query it first for deciding what to do. Is such a setup possible with freeradius?
My specs: Ubuntu 16.04 FreeRADIUS Version 2.2.8 (2.2.8+dfsg-0.1build2 from apt)
The basic setup with authorization/authentication against the ldap is running very well, but the extension with the unmanaged costumers give my head ache. I need help to find the right direction to run.
so you authorize already? if so, what LDAP attribute (group etc) can you use to distinguish the 2 types? just use that as the basis for unlang in authorize {}, just after ldap, you can do eg if (%{LDAP-Group} == "unmanaged"){ update control { Proxy-to-Realm := unmanaged } updated } and then in proxy.cofn set up an 'unmanaged' server group to send the request to. note, none of the above is validated/errer-free/tested, theres probably at least a few syntax errors but it will give you the fundamental idea... alan
Thanks for the reply, i think it was the kick in the right direction. But now i have other problems.
so you authorize already? if so, what LDAP attribute (group etc) can you use to distinguish the 2 types? just use that as the basis for unlang in authorize {}, just after ldap, you can do eg if (%{LDAP-Group} == "unmanaged"){ update control { Proxy-to-Realm := unmanaged } updated } my LDAP section looks like this: ldap-kap-costumertype if ("%{ManageType}" == unmanaged){ update control { Proxy-to-Realm := unmanaged } updated }
The ManageType value i have added in ldap.attrmap and in dictionary as string. the server starts up and checks for the value in "ManageType" when i send an test request. But the value that he have found in the ldap is not in the Variable. see log output: [ldap-kap-costumertype] performing user authorization for test [ldap-kap-costumertype] expand: ou=%{Group-Name} -> ou=test.dt [ldap-kap-costumertype] expand: dc=domain,dc=de -> dc=domain,dc=de [ldap-kap-costumertype] ldap_get_conn: Checking Id: 0 [ldap-kap-costumertype] ldap_get_conn: Got Id: 0 [ldap-kap-costumertype] attempting LDAP reconnection [ldap-kap-costumertype] (re)connect to test:636, authentication 0 [ldap-kap-costumertype] setting TLS mode to 1 [ldap-kap-costumertype] bind as cn=radiusbinduser,ou=admins,dc=domain,dc=de/XXXXXXX to test:636 [ldap-kap-costumertype] waiting for bind result ... [ldap-kap-costumertype] Bind was successful [ldap-kap-costumertype] performing search in dc=domain,dc=de, with filter ou=test.dt [ldap-kap-costumertype] No default NMAS login sequence [ldap-kap-costumertype] looking for check items in directory... [ldap-kap-costumertype] businessCategory -> ManageType == "unmanaged" [ldap-kap-costumertype] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap-kap-costumertype] ldap_release_conn: Release Id: 0 ++[ldap-kap-costumertype] = ok ++? if ("%{ManageType}" == unmanaged) expand: %{ManageType} -> ? Evaluating ("%{ManageType}" == unmanaged) -> FALSE ++? if ("%{ManageType}" == unmanaged) -> FALSE
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Jörn Volkhausen