noob with some questions

P. K. pbk105 at
Mon Jul 31 19:08:19 CEST 2006

Hi All,

I've been setting up my College's first FreeRadius server and I've been 
having a hard time wrapping my brain around the config with the 
documentation that is available. If you'll bear with me here through 
this super long post, I'll go into more depth.

What I'm trying to do:
I want to configure FreeRadius to Authorize a user against an LDAP 
directory based on IF that user has the following values:
*edupersonprimaryaffiliation: *STAFF


*edupersonprimaryaffiliation: *Faculty

If the user's values don't match either of these two condition, they are 
rejected. If they match either, then they are authenticated agains a 
kerberos server.

I've got the basic configuration working in that FreeRadius will go out 
to the LDAP directory (right now it just seems to check if the attribute 
exists but does not make a judgement on it) and then it will go out to 
the Kerberos server and Authenticate.

I want to now add the conditions I stated above but I'm a bit lost this 
point. At first I thought that this was something the CheckValue module 
should handle, then I thought maybe it should just be a part of the  
filter in the LDAP module, then I thought about maybe the values need to 
be in the dictionary files. At this point, it became apparent that I 
simply don't understand how FreeRadius handles itself. It is not 
apparent to me how or where FreeRadius makes its decisions on 
conditional values. This is where I hope some of you can help. I really 
like FreeRadius in that it is obviously a quality product, but as it is 
with the documentation and my lack of Radius experience, I just can't 
seem to get at the last piece of this puzzle.

Right now, I have the following settings (with debug output further down)
radiusd.conf, LDAP module:

ldap {
                server = ""
                # identity = "cn=admin,o=My Org,c=UA"
                # password = mypass
                basedn = "dc=psu,dc=edu"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                # base_filter = "(objectclass=radiusprofile)"

                # set this to 'yes' to use TLS encrypted connections
                # to the LDAP database by using the StartTLS extended
                # operation.
                # The StartTLS operation is supposed to be used with normal
                # ldap connections instead of using ldaps (port 689) 
                start_tls = no

                # tls_cacertfile        = /path/to/cacert.pem
                # tls_cacertdir         = /path/to/ca/dir/
                # tls_certfile          = /path/to/radius.crt
                # tls_keyfile           = /path/to/radius.key
                # tls_randfile          = /path/to/rnd
                # tls_require_cert      = "demand"

                # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
                # profile_attribute = "radiusProfileDn"
                access_attr = "psadminarea"

                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                # NOTICE: The password_header directive is NOT case 
                # password_header = "{clear}"
                # Set:
                #       password_attribute = nspmPassword
                # to get the user's password from a Novell eDirectory
                # backend. This will work *only if* freeRADIUS is
                # configured to build with --with-edir option.
                #  The server can usually figure this out on its own, 
and pull
                #  the correct User-Password or NT-Password from the 
                #  Note that NT-Passwords MUST be stored as a 32-digit hex
                #  string, and MUST start off with "0x", such as:
                #       0x000102030405060708090a0b0c0d0e0f
                #  Without the leading "0x", NT-Passwords will not work.
                #  This goes for NT-Passwords stored in SQL, too.
                # password_attribute = userPassword
                # Un-comment the following to disable Novell eDirectory 
                # policy check and intruder detection. This will work 
*only if*
                # FreeRADIUS is configured to build with --with-edir option.
                # edir_account_policy_check=no
                # groupname_attribute = cn
                # groupmembership_filter = 
                # groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # do_xlat = yes
                # access_attr_used_for_allow = yes

                #  By default, if the packet contains a User-Password,
                #  and no other module is configured to handle the
                #  authentication, the LDAP module sets itself to do
                #  LDAP bind for authentication.
                #  You can disable this behavior by setting the following
                #  configuration entry to "no".
                #  allowed values: {no, yes}
                # set_auth_type = yes

In the file dictionary:
ATTRIBUTE       Is_Smeal_Member                 3998    string
ATTRIBUTE       Is_Smeal_Fac_Staff_Member       3999    stringModule: 
Loaded preprocess
 preprocess: huntgroups = "/etc/freeradius/huntgroups"
 preprocess: hints = "/etc/freeradius/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded LDAP
 ldap: server = ""
 ldap: port = 389
 ldap: net_timeout = 1
 ldap: timeout = 4
 ldap: timelimit = 3
 ldap: identity = ""
 ldap: tls_mode = no
 ldap: start_tls = no
 ldap: tls_cacertfile = "(null)"
 ldap: tls_cacertdir = "(null)"
 ldap: tls_certfile = "(null)"
 ldap: tls_keyfile = "(null)"
 ldap: tls_randfile = "(null)"
 ldap: tls_require_cert = "allow"
 ldap: password = ""
 ldap: basedn = "dc=psu,dc=edu"
 ldap: filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "(null)"
 ldap: access_attr = "psadminarea"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = 
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/etc/freeradius/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = no
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
 ldap: edir_account_policy_check = yes
 ldap: set_auth_type = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ldap
rlm_ldap: reading ldap<->radius mappings from file 
rlm_ldap: LDAP psadminarea mapped to RADIUS Is_Smeal_Member
rlm_ldap: LDAP edupersonprimaryaffiliation mapped to RADIUS 
rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
rlm_ldap: LDAP radiusClass mapped to RADIUS Class
rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS 
rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS 
rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS 
rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
conns: 0x811b320
Module: Instantiated ldap (ldap)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded files
 files: usersfile = "/etc/freeradius/users"
 files: acctusersfile = "/etc/freeradius/acct_users"
 files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
 detail: detailfile = 
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp = "/var/log/freeradius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
 radutmp: filename = "/var/log/freeradius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
 thread: start_servers = 5
 thread: max_servers = 32
 thread: min_spare_servers = 3
 thread: max_spare_servers = 10
 thread: max_requests_per_server = 0
 thread: cleanup_delay = 5
Thread spawned new child 1. Total threads in pool: 1
Thread spawned new child 2. Total threads in pool: 2
Thread spawned new child 3. Total threads in pool: 3
Thread spawned new child 4. Total threads in pool: 4
Thread spawned new child 5. Total threads in pool: 5
Thread pool initialized
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
Thread 1 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host, id=180, length=58
--- Walking the entire request list ---
Waking up in 31 seconds...
Threads: total/active/spare threads = 5/0/5
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
        User-Name = "pbk105"
        User-Password = "xxxxxxxxxxxxx"
        NAS-IP-Address =
        NAS-Port = 0
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "pbk105", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for pbk105
radius_xlat:  '(uid=pbk105)'
radius_xlat:  'dc=psu,dc=edu'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to, authentication 0
rlm_ldap: bind as / to
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=psu,dc=edu, with filter (uid=pbk105)
rlm_ldap: checking if remote access for pbk105 is allowed by psadminarea
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding edupersonprimaryaffiliation as 
Is_Smeal_Fac_Staff_Member, value STAFF & op=21
rlm_ldap: Adding psadminarea as Is_Smeal_Member, value BUSINESS & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: user pbk105 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_krb5: verify_krb_v5_tgt: host key not found : No such file or directory
  modcall[authenticate]: module "krb5" returns ok for request 0
modcall: leaving group LDAP (returns ok) for request 0
Sending Access-Accept of id 180 to port 32778
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
--- Walking the entire request list ---
Cleaning up request 0 ID 180 with timestamp 44ce2b92

In the ldap.attr file:
checkitem       Is_Smeal_Member                 psadminarea
checkitem       Is_Smeal_Fac_Staff_Member       edupersonprimaryaffiliation

Debug Output:

Paul Kuchinski
Network Administrator
Smeal College of Business Administration
Penn State University

email: pbk105 at
phone: (814)865-0366
fax:   (814)865-1845

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list