ldap groups + freeradius

Karen R McArthur kmcarthu at bates.edu
Mon Mar 12 20:37:18 CET 2007 

I know this question has been asked many times before.  I have searched
the archives and I have tried what I've found there, but I can't seem to
get this working.

RedHat EL 4 (managed through RHN, so latest available versions)
freeradius-1.0.1-3
openldap-2.2.13-6

I have 4 NAS-IP-Addresses.

My users are split into 6 groups (some are in multiple groups): public,
faculty, staff, student, vpn, and admin.

I would like the users to get access to the NAS by virtue of being in a
group.

192.168.1.1
	admin
192.168.1.2
	vpn
192.168.1.3 & 192.168.1.4
	faculty, staff, student & public

What steps do I need to follow to implement this?  I have tried many
combinations in "huntgroups", "users", and "radiusd.conf".

Any directions or urls to documentation would be appreciated.

Thank you.
-- 
Karen R. McArthur <kmcarthu at bates.edu>
Systems Administrator
Information and Library Services, Bates College
Lewiston, Maine 04240 USA
ph:(207)786-8236   fax:(207)786-6057

*****some ldif output******
	dn: uid=user1,ou=People,dc=example,dc=com
	objectClass: radiusprofile
	radiusGroupName: staff
	radiusGroupName: vpn
	radiusGroupName: admin

	dn: uid=user2,ou=People,dc=example,dc=com
	objectClass: radiusprofile
	radiusGroupName: student

	dn: uid=user3,ou=People,dc=example,dc=com
	objectClass: radiusprofile
	radiusGroupName: faculty
	radiusGroupName: vpn

	dn: cn=vpn,ou=ldap-auth,dc=example,dc=com
	objectClass: groupOfNames
	cn: vpn
	member: uid=user1,ou=People,dc=example,dc=com
	member: uid=user3,ou=People,dc=example,dc=com

	dn: cn=vpn,ou=profiles,ou=radius,ou=services,dc=example,dc=com
	objectClass: radiusprofile
	cn: vpn
	radiusServiceType: Framed-User
	radiusFramedProtocol: PPP
	radiusFramedIPNetmask: 255.255.255.0
	radiusFramedRouting: None

*********** radiusd.conf ************
ldap {
	server = "ldap.example.com"
	filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
	basedn = "ou=People,dc=example,dc=com"
	identity = "cn=lnxproxy,ou=LDAPauth,dc=example,dc=com"
	password = itsasecret
	start_tls = no
	tls_cacertfile = /usr/share/ssl/certs/ca-cert.pem
	tls_cacertdir = /usr/share/ssl/certs/
	tls_certfile = /usr/share/ssl/certs/cert.pem
	tls_keyfile = /usr/share/ssl/certs/key.pem
	dictionary_mapping = ${raddbdir}/ldap.attrmap
	ldap_connections_number = 5
	groupname_attribute = cn
	groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{
Ldap-UserDn}))"
	groupmembership_attribute = radiusGroupName
	timeout = 4
	timelimit = 3
	net_timeout = 1
}

***** users *****
DEFAULT Auth-Type = LDAP Fall-Through = 1
DEFAULT Ldap-Group == "cn=vpn,ou=ldap-auth,dc=example,dc=com",
	Fall-Through = no

********** huntgroups **********
admin NAS-IP-Address == 192.168.1.1
	Session-Timeout = 60,
	Idle-Timeout = 30,
	Ldap-Group = admin

public NAS-IP-Address == 192.168.1.3
	NAS-IP-Address == 192.168.1.4,
	Idle-Timeout = 3600,
	Ldap-Group = public,
	Ldap-Group = faculty,
	Ldap-Group = staff,
	Ldap-Group = student

vpn NAS-IP-Address == 192.168.1.2

More information about the Freeradius-Users mailing list