Attributes and LDAP

Marek Gradzki mgradzki at ost.net.pl
Tue May 23 12:29:09 CEST 2006


Hi.
I am currently using FreeRadius server 1.0.2 on Solaris 8 with LDAP 
authentication and MySQL accounting
for PPPoE sessions with ADSL technology.
Everything works fine, but some problems appeared lately.
User profiles are stored in some subtree of LDAP server. Each user has 
an attribute radiusGroupName set to test
(for example). I would like to setup some common attribute values in the 
group profile, which is also stored in
the LDAP server but in the other subtree, and import them to user 
profile during authentication.
Now it does not work. Unfortunately I do not have much space to 
experiment because it is working
configration and I really do not have an idea how to setup this kind of 
behaviour.
Parts of my config files are below:
_huntgroups:
_cisco        NAS-IP-Address == 192.168.0.211

_clients.conf:
_client 192.168.0.211 {
    secret      = cisco
    nastype     = cisco
        shortname   = c7200vxr
}


_radiusd.conf:_

# MODULE CONFIGURATION
modules {
    pap {
        encryption_scheme = crypt
    }

    chap {
        authtype = CHAP
    }

    pam {
        pam_auth = radiusd
    }

    unix {
        cache = no
        cache_reload = 600
        radwtmp = ${logdir}/radwtmp
    }

$INCLUDE ${confdir}/eap.conf

    mschap {
        authtype = MS-CHAP
    }

    ldap {
        server = "ds1i.ostisp.intra ds2i.ostisp.intra"
        identity = "cn=freeradius,ou=admins,o=radius,dc=ostnet,dc=pl"
        password = radius
        basedn = "ou=users,ou=adsl,o=radius,dc=ostnet,dc=pl"
        filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
        base_filter = "(objectclass=radiusprofile)"
        password_attribute = userPassword

        # access_attr = "dialupAccess"
        dictionary_mapping = ${raddbdir}/ldap_ext.attrmap
       
        groupname_attribute = radiusGroupName
        groupmembership_filter = 
"(cn=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)"
        groupmembership_attribute = radiusGroupName
       
        ldap_connections_number = 40
        timeout = 4
        timelimit = 3
        net_timeout = 1
    }

    realm IPASS {
        format = prefix
        delimiter = "/"
        ignore_default = no
        ignore_null = no
    }

    realm suffix {
        format = suffix
        delimiter = "@"
        ignore_default = no
        ignore_null = no
    }

    realm realmpercent {
        format = suffix
        delimiter = "%"
        ignore_default = no
        ignore_null = no
    }

    realm ntdomain {
        format = prefix
        delimiter = "\\"
        ignore_default = no
        ignore_null = no
    }
   

    checkval {
        item-name = Calling-Station-Id
        check-name = Calling-Station-Id
        data-type = string
    }
   
    preprocess {
        huntgroups = ${confdir}/huntgroups
        hints = ${confdir}/hints
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
    }

    files {
        usersfile = ${confdir}/users
        acctusersfile = ${confdir}/acct_users
        compat = no
    }

    detail {
        detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
        detailperm = 0600
    }

    detail auth_log {
        detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
    }

    detail reply_log {
        detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
        detailperm = 0600
    }

    acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"
    }

    radutmp {
        filename = ${logdir}/radutmp
#        username = %{User-Name}
        username = %{Stripped-User-Name:-%{User-Name}}
        case_sensitive = no
        check_with_nas = yes       
        perm = 0600
        callerid = "no"
    }


    attr_filter {
        attrsfile = ${confdir}/attrs
    }

    counter daily {
        filename = ${raddbdir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        allowed-servicetype = Framed-User
        cache-size = 5000
    }

    always fail {
        rcode = fail
    }
    always reject {
        rcode = reject
    }
    always ok {
        rcode = ok
        simulcount = 0
        mpp = no
    }

    expr {
    }

    digest {
    }

    exec {
        wait = yes
        input_pairs = request
    }

    exec echo {
        wait = yes
        program = "/bin/echo %{User-Name}"
        input_pairs = request
        output_pairs = reply
    }

  
    $INCLUDE ${confdir}/sql.conf
}

# Instantiation
instantiate {
    expr
    detail
}

authorize {
    preprocess
    chap
    ldap
    files
}


#  Authentication.
authenticate {
    Auth-Type CHAP {
        chap
    }
    Auth-Type LDAP {
        ldap
    }
    Auth-Type PAP {
        pap
    }
    unix
}


#
#  Pre-accounting.  Decide which accounting type to use.
#
preacct {
    preprocess
    acct_unique
    suffix
    files
}

#
#  Accounting.  Log the accounting data.
#
accounting {
    sql
}


session {
    radutmp
}


post-auth {
}

pre-proxy {
}

post-proxy {
    eap
}

_users:
_DEFAULT Ldap-Group == disabled, Auth-Type := Reject
    Reply-Message = "Blocked account."
   
DEFAULT Huntgroup-Name == cisco, LDAP-Group == ostinternet, User-Profile 
:= "cn=ostinternet,ou=profiles,ou=adsl,o=radius,dc=ostnet,dc=pl"
    Fall-Through = no

DEFAULT Huntgroup-Name == huawei, LDAP-Group == ostinternet, 
User-Profile := 
"cn=ostinternet,ou=profiles,ou-adsl,o=radius,dc=ostnet,dc=pl"
    Fall-Through = no


Write if You have any ideas.
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060523/b6884eb0/attachment.html>


More information about the Freeradius-Users mailing list