Different behaviour with LDAP
Þórður Ívarsson
toti at skrin.is
Wed Aug 31 14:28:57 CEST 2005
I am authorizing wireless network cards in "users file" with radius server (old cistron radius) and that is working fine
entry like:
121212-232323 Auth-Type = Accept
Only network card matching abov entry get access
Now I am building new radius server with FreeRadius and users information and passwords are kept in Open-LDAP
I have following entry in my "users file"
DEFAULT Huntgroup-Name == "wireless", Service-Type == Framed-User, Autz-Type:=zldap-macaddr, Auth-Type := Accept
Fall-Through = No
and this is in "radiusd.conf"
ldap ldap-macaddr {
server = "localhost"
identity = "cn=manager,dc=skrin,dc=local"
password = kept_secret
basedn = "ou=users,ou=internet,dc=skrin,dc=local"
filter = "(&(macAddress=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=wireless))"
base_filter = "(objectclass=radiusprofile)"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# password_attribute = userPassword
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
}
I have also different sections for different huntgroups of the LDAP entry in radiusd.conf for other services and they work fine.
The behaviour of the radius server is like that - authorize the client/user (match against huntgroup and ldap attribute search) then authenticate the user (trying to log into ldap server with user/password), but I have Auth-Type= accept, that I understand is allowing everyone that matces the authorize section. This breaks, it allows everyone that matches huntgroup but fails authorize. Is this normal or not?
Þórður Ívarsson
Skrín ehf
More information about the Freeradius-Users
mailing list