SUMMARY: ldap groups + freeradius

Fri Mar 23 16:13:09 CET 2007

Thank you to this list!  I am posting snips from my "users",
"radiusd.conf" and "huntgroup" files that work.

********** huntgroups **********
admin           NAS-IP-Address == 192.168.1.1
                Session-Timeout = 60,
                Idle-Timeout = 30

public          NAS-IP-Address == 192.168.1.2
                NAS-IP-Address == 192.168.1.3,
                Idle-Timeout = 3600

vpn             NAS-IP-Address == 192.168.1.4

********** radiusd.conf **********
<snip>
ldap {
        server = "ldap.example.com"
        port = xxxx
        identity = "cn=proxy,dc=example,dc=com"
        password = itsasecret
        basedn = "ou=People,dc=example,dc=com"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        start_tls = no
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        ldap_connections_number = 5
        groupname_attribute = cn
        groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{
Ldap-UserDn}))"
        groupmembership_attribute = radiusGroupName
        timeout = 4
        timelimit = 3
        net_timeout = 1
}
<snip>

********** users **********
<snip>
DEFAULT Auth-Type = LDAP
        Fall-Through = yes

DEFAULT Huntgroup-Name == public, Ldap-Group == public
        Reply-Message = "Welcome to the dial-in service",
        Fall-Through = no

DEFAULT Huntgroup-Name == admin, Ldap-Group == admin
        Reply-Message = "Welcome to the admin Termial Server",
        Fall-Through = no

DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn
        Reply-Message = "Welcome to the VPN Gateway",
        Fall-Through = no

DEFAULT Auth-Type := Reject
        Reply-Message = "You are not authorized to use this service.  If
you believe you have received this message in error, please contact our
Helpdesk."
<snip>

***** user ldap record *****
dn: uid=user1,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: public
radiusGroupName: vpn
radiusGroupName: admin

dn: uid=user2,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: public

dn: uid=user3,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: public
radiusGroupName: vpn

-- 
Karen R. McArthur <kmcarthu at bates.edu>
Systems Administrator
Information and Library Services, Bates College
Lewiston, Maine 04240 USA
ph:(207)786-8236   fax:(207)786-6057

> 
> RedHat EL 4 (managed through RHN, so latest available versions)
> freeradius-1.0.1-3
> openldap-2.2.13-6
> 
> I have 4 NAS-IP-Addresses.
> 
> My users are split into 6 groups (some are in multiple groups): public,
> faculty, staff, student, vpn, and admin.
> 
> I would like the users to get access to the NAS by virtue of being in a
> group.
> 
> 192.168.1.1
> 	admin
> 192.168.1.2
> 	vpn
> 192.168.1.3 & 192.168.1.4
> 	faculty, staff, student & public
> 
> What steps do I need to follow to implement this?  I have tried many
> combinations in "huntgroups", "users", and "radiusd.conf".
> 
> Any directions or urls to documentation would be appreciated.