Troube with matching LDAP group membership in authorize
Richard Hesse
rhesse at yahoo.com
Tue Jan 30 21:40:36 CET 2007
I'm trying to setup radius authentication for enable access on our networking gear and having a tough time getting a working config. I'd like to have FR check a group in LDAP for membership before authorizing. That is, I only want user's listed in the "uniquemember" attribute of the Operations group object to be granted access. Reading the FR docs this is possible -- I must be missing something. First, here are the relevant portions of my configs:
Hint file:
DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User, ldap_enable-Ldap-Group := "operations", Autz-Type := ldap_enable, Auth-Type := LDAP
radius.conf:
ldap ldap_enable{
server = "fds1.hq.powerset.com"
basedn = "dc=powerset,dc=com"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
start_tls = yes
tls_cacertfile = /opt/fedora-ds/alias/starfield.pem
tls_require_cert = "demand"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# ldap_debug = 1
# groupname_attribute = cn
groupmembership_filter = "(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))"
timeout = 4
timelimit = 3
net_timeout = 3
# compare_check_items = yes
# do_xlat = yes
access_attr_used_for_allow = no
set_auth_type = no
}
I have several LDAP instances defined in radius.config, but this is the one I want to use. I instantiate it first in radius.config so that hints can use it:
instantiate {
ldap_enable
exec
expr
}
And a corresponsing Autz-Type in radius.config:
authorize {
preprocess
suffix
ntdomain
eap
autztype ldap{
redundant {
fds1
# fds2
}
}
autztype ldap_enable{
ldap_enable
}
files
pap
}
Here's the debug output from when I try and connect:
rad_recv: Access-Request packet from host 64.13.145.238:1024, id=96, length=71
User-Name = "dick"
User-Password = "$$$$$$$$"
NAS-IP-Address = 64.13.145.238
NAS-Identifier = "h2848-1"
NAS-Port-Type = Virtual
Service-Type = NAS-Prompt-User
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
hints: Matched DEFAULT at 35 <--- This is the correct entry
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "dick", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_realm: No '\' in User-Name = "dick", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns ok) for request 0
It appears that FR is ignoring the Autz-Type I set in hints and just processes the entries in authorize in sequential order. This is the default behavior unless an Autz-Type is explicitly set (which I do in hints). How do I get the Autz-Type to kick-in and have FR send the request to the proper LDAP entry?
Thanks in advance,
-richard
____________________________________________________________________________________
Sucker-punch spam with award-winning protection.
Try the free Yahoo! Mail Beta.
http://advision.webevents.yahoo.com/mailbeta/features_spam.html
More information about the Freeradius-Users
mailing list