LDAP authorizedService attribute matching
Owen DeLong
owen at delong.com
Thu Oct 12 07:06:57 CEST 2006
I've got an LDAP database which works with PAM and uses PosixAccounts
to describe
users. It uses the authorizedService attribute to specify which
services the user is
allowed to log into.
I've configured freeradius to map authorizedService -> Service-Type
and have set
up Service-Type as a check attribute.
I'm running:
(radiusd: FreeRADIUS Version 1.1.3, for host i686-pc-linux-gnu, built
on Oct 10 2006 at 13:13:55)
For example, say user foo has:
dn: uid=foo, ou=people, dc=zone, dc=example, dc=com
...
authorizedService: sshd
authorizedService: vpn
authorizedService: xdm
...
I would like this user to succeed authenticating against RADIUS if
Service-Type in the
request matches sshd, vpn, or xdm, but, not if it contains anything
else.
Is there a way to set up this comparison in freeradius?
I've read the FAQ, but, I haven't found a way to do this. I've
included debug output below,
just in case. Any help, especially a sepecific set of "put this in x
configuration file here
and it should work" type help is greatly appreciated.
Thanks,
Owen
Test authentication command (the username, password, and domain name
have
been replaced to preserve the anonymity of the implementation in
question):
In this case, user foo has authorizedService attributes with the
following values:
passwd
login
sshd
xdm
gdm
sudo
su
(echo "User-Name = foo" ; echo "User-Password = xyzzy"; echo "Service-
type = sshd" ) | \
radclient localhost auth testing123
results in:
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=37,
length=50
User-Name = "foo"
User-Password = "xyzzy"
Service-Type = sshd
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "foo", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "foo"
rlm_realm: Proxying request from user owen to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for foo
radius_xlat: '(uid=foo)'
radius_xlat: 'ou=people,dc=zone,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as / to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=zone,dc=example,dc=com,
with filter (uid=foo)
rlm_ldap: checking if remote access for owen is allowed by
authorizedService
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding authorizedService as Service-Type, value passwd & op=21
rlm_ldap: Adding authorizedService as Service-Type, value login & op=21
rlm_ldap: Adding authorizedService as Service-Type, value sshd & op=21
rlm_ldap: Adding authorizedService as Service-Type, value xdm & op=21
rlm_ldap: Adding authorizedService as Service-Type, value gdm & op=21
rlm_ldap: Adding authorizedService as Service-Type, value sudo & op=21
rlm_ldap: Adding authorizedService as Service-Type, value su & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user foo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by "foo" with password "xyzzy"
rlm_ldap: user DN: uid=foo,ou=people,dc=zone,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=foo,ou=people,dc=zone,dc=example,dc=com/xyzzy
to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user owen authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 0
modcall: leaving group LDAP (returns ok) for request 0
Sending Access-Accept of id 37 to 127.0.0.1 port 32772
Finished request 0
Going to the next request
--- Walking the entire request list ---
Received response ID 37, code 2, length = 20
Waking up in 6 seconds...
Which is correct. However, because the following does not fail:
(echo "User-Name = foo" ; echo "User-Password = xyzzy"; echo "Service-
type = vpn" ) | \
radclient localhost auth testing123
I suspect it's just that anything succeeds whether it matches or not.
Here is the debug output for the VPN test:
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=39,
length=50
User-Name = "foo"
User-Password = "xyzzy"
Service-Type = vpn
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "foo", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "foo"
rlm_realm: Proxying request from user foo to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for foo
radius_xlat: '(uid=foo)'
radius_xlat: 'ou=people,dc=zone,dc=example,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=zone,dc=example,dc=com,
with filter (uid=foo)
rlm_ldap: checking if remote access for foo is allowed by
authorizedService
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding authorizedService as Service-Type, value passwd & op=21
rlm_ldap: Adding authorizedService as Service-Type, value login & op=21
rlm_ldap: Adding authorizedService as Service-Type, value sshd & op=21
rlm_ldap: Adding authorizedService as Service-Type, value xdm & op=21
rlm_ldap: Adding authorizedService as Service-Type, value gdm & op=21
rlm_ldap: Adding authorizedService as Service-Type, value sudo & op=21
rlm_ldap: Adding authorizedService as Service-Type, value su & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user foo authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
rad_check_password: Found Auth-Type ldap
auth: type "LDAP"
Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "foo" with password "xyzzy"
rlm_ldap: user DN: uid=foo,ou=people,dc=zone,dc=example,dc=com
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=foo,ou=people,dc=zone,dc=example,dc=com/
n0t4u2c! to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user foo authenticated succesfully
modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
Sending Access-Accept of id 39 to 127.0.0.1 port 32772
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
Received response ID 39, code 2, length = 20
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061011/28b0eafe/attachment.pgp>
More information about the Freeradius-Users
mailing list