LDAP authorizedService attribute matching

Owen DeLong owen at delong.com
Thu Oct 12 07:06:57 CEST 2006


I've got an LDAP database which works with PAM and uses PosixAccounts  
to describe
users.  It uses the authorizedService attribute to specify which  
services the user is
allowed to log into.

I've configured freeradius to map authorizedService -> Service-Type  
and have set
up Service-Type as a check attribute.

I'm running:
(radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built  
on Oct 10 2006 at 13:13:55)

For example, say user foo has:

dn: uid=foo, ou=people, dc=zone, dc=example, dc=com
...
authorizedService: sshd
authorizedService: vpn
authorizedService: xdm
...

I would like this user to succeed authenticating against RADIUS if  
Service-Type in the
request matches sshd, vpn, or xdm, but, not if it contains anything  
else.

Is there a way to set up this comparison in freeradius?

I've read the FAQ, but, I haven't found a way to do this.  I've  
included debug output below,
just in case.  Any help, especially a sepecific set of "put this in x  
configuration file here
and it should work" type help is greatly appreciated.



Thanks,

Owen


Test authentication command (the username, password, and domain name  
have
been replaced to preserve the anonymity of the implementation in  
question):

In this case, user foo has authorizedService attributes with the  
following values:
	passwd
	login
	sshd
	xdm
	gdm
	sudo
	su


(echo "User-Name = foo" ; echo "User-Password = xyzzy"; echo "Service- 
type = sshd" ) | \
		radclient localhost auth testing123

results in:
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=37,  
length=50
         User-Name = "foo"
         User-Password = "xyzzy"
         Service-Type = sshd
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: No '@' in User-Name = "foo", looking up realm NULL
     rlm_realm: Found realm "NULL"
     rlm_realm: Adding Stripped-User-Name = "foo"
     rlm_realm: Proxying request from user owen to realm NULL
     rlm_realm: Adding Realm = "NULL"
     rlm_realm: Authentication realm is LOCAL.
   modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for foo
radius_xlat:  '(uid=foo)'
radius_xlat:  'ou=people,dc=zone,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=zone,dc=example,dc=com,  
with filter (uid=foo)
rlm_ldap: checking if remote access for owen is allowed by  
authorizedService
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding authorizedService as Service-Type, value passwd & op=21
rlm_ldap: Adding authorizedService as Service-Type, value login & op=21
rlm_ldap: Adding authorizedService as Service-Type, value sshd & op=21
rlm_ldap: Adding authorizedService as Service-Type, value xdm & op=21
rlm_ldap: Adding authorizedService as Service-Type, value gdm & op=21
rlm_ldap: Adding authorizedService as Service-Type, value sudo & op=21
rlm_ldap: Adding authorizedService as Service-Type, value su & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user foo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
   rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "foo" with password "xyzzy"
rlm_ldap: user DN: uid=foo,ou=people,dc=zone,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=foo,ou=people,dc=zone,dc=example,dc=com/xyzzy  
to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user owen authenticated succesfully
   modcall[authenticate]: module "ldap" returns ok for request 0
modcall: leaving group LDAP (returns ok) for request 0
Sending Access-Accept of id 37 to 127.0.0.1 port 32772
Finished request 0
Going to the next request
--- Walking the entire request list ---
Received response ID 37, code 2, length = 20
Waking up in 6 seconds...

Which is correct.  However, because the following does not fail:

(echo "User-Name = foo" ; echo "User-Password = xyzzy"; echo "Service- 
type = vpn" ) | \
		radclient localhost auth testing123

I suspect it's just that anything succeeds whether it matches or not.

Here is the debug output for the VPN test:

rad_recv: Access-Request packet from host 127.0.0.1:32772, id=39,  
length=50
         User-Name = "foo"
         User-Password = "xyzzy"
         Service-Type = vpn
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
   modcall[authorize]: module "preprocess" returns ok for request 1
   modcall[authorize]: module "chap" returns noop for request 1
   modcall[authorize]: module "mschap" returns noop for request 1
     rlm_realm: No '@' in User-Name = "foo", looking up realm NULL
     rlm_realm: Found realm "NULL"
     rlm_realm: Adding Stripped-User-Name = "foo"
     rlm_realm: Proxying request from user foo to realm NULL
     rlm_realm: Adding Realm = "NULL"
     rlm_realm: Authentication realm is LOCAL.
   modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for foo
radius_xlat:  '(uid=foo)'
radius_xlat:  'ou=people,dc=zone,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=zone,dc=example,dc=com,  
with filter (uid=foo)
rlm_ldap: checking if remote access for foo is allowed by  
authorizedService
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding authorizedService as Service-Type, value passwd & op=21
rlm_ldap: Adding authorizedService as Service-Type, value login & op=21
rlm_ldap: Adding authorizedService as Service-Type, value sshd & op=21
rlm_ldap: Adding authorizedService as Service-Type, value xdm & op=21
rlm_ldap: Adding authorizedService as Service-Type, value gdm & op=21
rlm_ldap: Adding authorizedService as Service-Type, value sudo & op=21
rlm_ldap: Adding authorizedService as Service-Type, value su & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user foo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
   modcall[authorize]: module "ldap" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
   rad_check_password:  Found Auth-Type ldap
auth: type "LDAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "foo" with password "xyzzy"
rlm_ldap: user DN: uid=foo,ou=people,dc=zone,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=foo,ou=people,dc=zone,dc=example,dc=com/ 
n0t4u2c! to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user foo authenticated succesfully
   modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
Sending Access-Accept of id 39 to 127.0.0.1 port 32772
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
Received response ID 39, code 2, length = 20



-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061011/28b0eafe/attachment.pgp>


More information about the Freeradius-Users mailing list