Multiple (different) LDAP servers and authorisation

Stewart James Stewart.James at vu.edu.au
Wed Aug 15 16:18:13 CEST 2007


Thanks Phil

> 1. For PAP, you can authenticate the user by asking the LDAP module to
> to an LDAP simple bind with the pap username/password
> 2. For MS-CHAP, you install samba, join the domain, and use the
> "ntlm_auth" helper binary in the mschap module

Option 1 is the way things are being handled at the moment (LDAP simple bind) and I should probably mention no radius specific schema.

Half my problem here is that I am totally new to radius of any type, but, Alan's mention before of retrieving the password had me start to look at how things are being done at the moment. I was nicely confused because the current configuration does check for group memberships on the Novell LDAP server BUT it had no lines in the authorize section saying to actually check for groups. This is when I came to  the conclusion that LDAP-Group == "something" was this funky lookup for authorisation by files detecting the LDAP-Group directive and getting the ldap module to do a lookup.

I have also learnt that the LDAP module also sets up direct access to the ldap servers, so AD-LDAP-Group and Novell-LDAP-Group can be referenced in the users file e.g.

DEFAULT Auth-Type=LDAP, AD-LDAP-Group == "somegoup"
         Pass-Through=Yes
DEFAULT Auth-Type=LDAP, Novell-LDAP-Group == "somegoup"
         Pass-Through=Yes

And with a authenticate section like:
authenticate {
...
     Auth-Type LDAP {
             AD {
                notfound=2
              }
             Novell {
                notfound=2
              }
     }
...
}

This does have the desired effect, if I log into the system with an AD user/pass (who is in "somegroup") I can login, if I authenticate with a Novell user/pass, it fails on the first "DEFAULT" entry, but, passes down to the novell entry. The Auth-Type LDAP section handles itself quite nicely for authentication and does a search for DN and if not found failes down to the Novell server. Of course if/when it finds the users DN, it then does an LDAP Simple bind.

If I set it up so there is just one line in the users file:
DEFAULT Auth-Type=LDAP, LDAP-Group == "somegoup"
         Pass-Through=Yes

Radius only checks the first ldap server (configured in the module section). If it fails (e.g. the first ldap server is Novell and you are trying to authenticate an AD user), it never goes on to check any other servers.

And that is just about the top to bottom of my entire freeradius knowledge.

I am now down to trying to figure out how to control the LDAP-Group membership lookup in a way that does not mean adding additional entries to the users file, I get the feeling this would not scale too well and that I would not be able to give any redundancy, either that or there would need to be a "DEFAULT" entry for each LDAP server (So if you have 4 AD servers and 4 novell servers that would be a total of 8 entries in the users file)

The above solution would probably work just fine for our purposes - we are only talking about a 6 month window of having both directory services - I always like to try and be complete, if only for someone else doing something similar in 5 years time :)

I also have to apoligise, I am at home with "outlook web^H^H^HIE access", so I hope things comes out correctly...of course any spelling mistakes are purely the fault of the webmail client ;)

Cheers,

Stewart
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 4736 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070816/bc4f90ab/attachment.bin>


More information about the Freeradius-Users mailing list