Combining LDAP authentication and UNIX groups

Paul Stepowski p.stepowski at qut.edu.au
Thu Oct 19 02:30:24 CEST 2006


Thanks Alan,

This answers my question.  Now that I know that this can be done with
freeradius, I can move on to figuring out how to get my configuration right.

When I try to auth with a valid LDAP user and password with radclient, the
authentication fails. e.g.

$ (echo "User-Name = stepowsk" && echo "User-Password = ********") | radclient
-r 1 -x css-radius auth testing123
Sending Access-Request of id 28 to 131.181.118.217:1812
        User-Name = "stepowsk"
        User-Password = "********"
rad_recv: Access-Reject packet from host 131.181.118.217:1812, id=28, length=20

Freeradius in debug mode tells me that the request is not matching on the entry
in the users file.  I have verified that the I can authenticate with the LDAP
account.  I have verified the user name is in the groups file.  Freeradius debug
output follows:

---snip---
rad_recv: Access-Request packet from host 131.181.118.217:34366, id=161, length=48
        User-Name = "stepowsk"
        User-Password = "********"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "stepowsk", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
  modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 161 to 131.181.118.217:34366
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 161 with timestamp 4536c533
Nothing to do.  Sleeping until we see a request.
---snip---

Any help would be much apprectiated.

The following shows my system setup and config files:

$ cat /etc/redhat-release
Red Hat Enterprise Linux ES release 4 (Nahant Update 4)

$ rpm -qi freeradius
Name        : freeradius                   Relocations: (not relocatable)
Version     : 1.0.1                             Vendor: Red Hat, Inc.
---snip---

$ cat /etc/raddb/users
DEFAULT Group == "paul", Auth-Type = LDAP
        Reply-Message = "LDAP auth",
        Fall-Through = No

$ cat /etc/raddb/group
users:x:1:csslog,csslog2
paul:x:2:stepowsk
css:x:3:csslog2

$ cat /etc/raddb/radiusd.conf | grep -v '#' | grep -v ^$
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = /usr/lib
pidfile = ${run_dir}/radiusd.pid
user = radiusd
group = radiusd
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = 131.181.118.217
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
modules {
        pap {
                encryption_scheme = crypt
        }
        chap {
                authtype = CHAP
        }
        pam {
                pam_auth = radiusd
        }
        unix {
                cache = no
                cache_reload = 600
passwd = /etc/raddb/passwd
shadow = /etc/raddb/shadow
group = /etc/raddb/group
                radwtmp = ${logdir}/radwtmp
        }
$INCLUDE ${confdir}/eap.conf
        mschap {
                authtype = MS-CHAP

        }
        ldap {
                server = "ldap.qut.edu.au"
                port = 389
                basedn = "ou=people,dc=qut,dc=edu,dc=au"
                filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                ldap_connections_number = 5
                timeout = 3
                timelimit = 3
                net_timeout = 3
                start_tls = yes
                tls_cacertfile  = /etc/raddb/cacert.pem
                tls_require_cert        = "demand"
                identity = "********"
                password = ********
                password_attribute = ********
                dictionary_mapping = ${raddbdir}/ldap.attrmap
        }
        realm IPASS {
                format = prefix
                delimiter = "/"
                ignore_default = no
                ignore_null = no
        }
        realm suffix {
                format = suffix
                delimiter = "@"
                ignore_default = no
                ignore_null = no
        }
        realm realmpercent {
                format = suffix
                delimiter = "%"
                ignore_default = no
                ignore_null = no
        }
        realm ntdomain {
                format = prefix
                delimiter = "\\"
                ignore_default = no
                ignore_null = no
        }
        checkval {
                item-name = Calling-Station-Id
                check-name = Calling-Station-Id
                data-type = string
        }

        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                compat = no
        }
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
        }
        $INCLUDE  ${confdir}/sql.conf

        radutmp {
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                perm = 0600
                callerid = "yes"
        }
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
        counter daily {
                filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
        expr {
        }
        digest {
        }
        exec {
                wait = yes
                input_pairs = request
        }
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
        ippool main_pool {
                range-start = 192.168.1.1
                range-stop = 192.168.3.254
                netmask = 255.255.255.0
                cache-size = 800
                session-db = ${raddbdir}/db.ippool
                ip-index = ${raddbdir}/db.ipindex
                override = no
                maximum-timeout = 0
        }
}
instantiate {
        exec
        expr
}
authorize {
        preprocess
        chap
        mschap
        suffix
        eap
        files
}
authenticate {
        Auth-Type PAP {
                pap
        }
        Auth-Type CHAP {
                chap
        }
        Auth-Type MS-CHAP {
                mschap
        }
        unix
        Auth-Type LDAP {
                ldap
        }
        eap
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
}
session {
        radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
        eap
}



Alan DeKok wrote:
> Paul Stepowski <p.stepowski at qut.edu.au> wrote:
>> Is it possible to authenticate users against LDAP and also check if
>> the username exists in a local UNIX group.
> 
>   Yes.  But you really don't need to authenticate against LDAP.
> Configure the server to pull the cleartext password from LDAP, and the
> server will figure it out...
> 
>> I tried to combine these two in various way, e.g.
>>
>> - ---snip---
>> DEFAULT	Group == "paul", Auth-Type = LDAP,
>> 	Fall-Through = No
>> - ---snip---
>>
>> But I couldn't get this to work, probably because LDAP has no concept of a
>> "Group". 
> 
>   Huh?  No.
> 
>   That configuration will work IF the user is in a local Unix group.
> 
>   And PLEASE read the FAQ for questions like "it doesn't work".
> You're going out of your way to avoid giving information that may
> enable people to help you.
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 



More information about the Freeradius-Users mailing list