Problem with LDAP and Groups

Bryan Evege bryan at
Wed Oct 10 22:08:04 CEST 2007

Hello all.  First off here's what I want to accomplish in the end.  Use 
LDAP as the backend to store all user information including radius 
attributes, shell info and access to specific devices in specific 
locations.  For example, Johnny needs access to all linux boxes in 
Atlanta and priv-level 15 on  cisco routers in Denver.  Fred needs 
read/write access to all packet shappers in Denver and read only to all 
cisco devices in Atlanta and Denver.  You get the picture.

I've setup a test server following the document in 
/opt/freeradius/share/doc/freeradius/ldap_howto.txt without much 
difficulty.  This method does a good job of allowing only certain groups 
to access certain devices without messing with the huntgroups.

Here's the problem.  When a user logs in and is a member of more than 
one group radius only uses the first one to match.  I've included the 
users file below.  For example, if the user is a member of the cisco 
group and the packeteer group only the packeteer group information gets 
passed back because it is found before the cisco group.

Is there a way to say that the request is from a Cisco box so only look 
for the user in the cisco group?  If the user is then found in that 
group then pass back the correct attributes from their profile.  I know 
I would have to define what a "cisco box" is, probably by IP. 

Please let me know if this is even possible and if so provide an 
example.  If it is not possible please provide some direction on how to 
go about doing this.

Freeradius 1.1.7

*_Users file_*

DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject
        Reply-Message = "Account disabled.  Please call the helpdesk."

DEFAULT Ldap-Group == packeteer_read_only,User-Profile := 
Auth-Type := LDAP
        Fall-Through = no

DEFAULT Ldap-Group == Packeteer,User-Profile := 
"uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
        Fall-Through = no

DEFAULT Ldap-Group == netscreen,User-Profile := 
"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
        Fall-Through = no

DEFAULT Ldap-Group == cisco_priv_15,User-Profile := 
"uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := 
        Fall-Through = no

DEFAULT Ldap-Group == cisco_priv_1,User-Profile := 
"uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
        Fall-Through = no

DEFAULT Ldap-Group == netscreen,User-Profile := 
"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP

DEFAULT Auth-Type := Reject
        Reply-Message = "Please call the helpdesk."

DEFAULT Auth-Type = System
        fall-Through = 1

Radiusd.conf ldap section

    ldap {
        server = "localhost"
        identity = "cn=Manager,dc=csctus,dc=net"
        password =  xxxxxxx
        basedn = "ou=users,ou=radius,dc=csctus,dc=net"
        filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
        # base_filter = "(objectclass=radiusprofile)"
        # set this to 'yes' to use TLS encrypted connections
        # to the LDAP database by using the StartTLS extended
        # operation.
        # The StartTLS operation is supposed to be used with normal
        # ldap connections instead of using ldaps (port 689) connections
        #start_tls = yes

        # tls_cacertfile    = /path/to/cacert.pem
        # tls_cacertdir        = /path/to/ca/dir/
        # tls_certfile        = /path/to/radius.crt
        # tls_keyfile        = /path/to/radius.key
        # tls_randfile        = /path/to/rnd
        # tls_require_cert    = "demand"

        # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
        # profile_attribute = "radiusProfileDn"
        #default_profile = 
        #profile_attribute = "radiusProfileDn"
        #access_attr = "DialupAccess"

        # Mapping of RADIUS dictionary attributes to LDAP
        # directory attributes.
        dictionary_mapping = ${raddbdir}/ldap.attrmap

        ldap_connections_number = 5
        ldap_cache_timeout = 120
        ldap_cache_size = 0
        ldap_connections_number = 10

        # NOTICE: The password_header directive is NOT case insensitive
        # password_header = "{clear}"
        # Set:
        #    password_attribute = nspmPassword
        # to get the user's password from a Novell eDirectory
        # backend. This will work *only if* freeRADIUS is
        # configured to build with --with-edir option.
        #  The server can usually figure this out on its own, and pull
        #  the correct User-Password or NT-Password from the database.
        #  Note that NT-Passwords MUST be stored as a 32-digit hex
        #  string, and MUST start off with "0x", such as:
        #    0x000102030405060708090a0b0c0d0e0f
        #  Without the leading "0x", NT-Passwords will not work.
        #  This goes for NT-Passwords stored in SQL, too.
        password_attribute = userPassword
        # Un-comment the following to disable Novell eDirectory account
        # policy check and intruder detection. This will work *only if*
        # FreeRADIUS is configured to build with --with-edir option.
        groupname_attribute = radiusGroupName
        #groupmembership_filter = 
        groupmembership_filter = 
        groupmembership_attribute = radiusGroupName
        timeout = 4
        timelimit = 3
        net_timeout = 1
        # compare_check_items = yes
        # do_xlat = yes
        # access_attr_used_for_allow = yes
        #  By default, if the packet contains a User-Password,
        #  and no other module is configured to handle the
        #  authentication, the LDAP module sets itself to do
        #  LDAP bind for authentication.
        #  You can disable this behavior by setting the following
        #  configuration entry to "no".
        #  allowed values: {no, yes}
        # set_auth_type = yes

dn: dc=csctus,dc=net
objectClass: dcObject
objectClass: organizationUnit
ou: Radius
dc: csctus

dn: ou=radius,dc=csctus,dc=net
objectclass: organizationalunit
ou: radius

dn: ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: organizationalunit
ou: profiles

dn: ou=users,ou=radius,dc=csctus,dc=net
objectclass: organizationalunit
ou: users

dn: ou=admins,ou=radius,dc=csctus,dc=net
objectclass: organizationalunit
ou: admins

dn: uid=dial,ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: radiusprofile
uid: dial
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedRouting: None

dn: uid=cisco,ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: radiusprofile
uid: cisco
radiusReplyItem: Cisco-AVPair ="priv-lvl=15"

dn: uid=packeteer,ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: radiusprofile
uid: packeteer
radiusReplyItem: Packeteer-AVPair = "access=touch"

dn: uid=isdn,ou=profiles,ou=radius,dc=csctus,dc=net
objectclass: radiusprofile
uid: isdn
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedRouting: None

dn: uid=example,ou=users,ou=radius,dc=csctus,dc=net
objectclass: radiusProfile
uid: example
userPassword: test
radiusGroupName: dial
radiusGroupName: isdn

dn: uid=bevege,ou=users,ou=radius,dc=csctus,dc=net
radiusGroupName: cisco_priv_15
radiusGroupName: Packeteer
objectClass: radiusprofile
uid: bevege
userPassword: {MD5}xxxxxxxxx

dn: cn=freeradius,ou=admins,ou=radius,dc=csctus,dc=net
objectclass: person
sn: freeradius
cn: freeradius
userPassword: freeradius

dn: cn=billing,ou=admins,ou=radius,dc=csctus,dc=net
objectclass: person
sn: billing
cn: billing
userPassword: billing

dn: cn=replica,ou=admins,ou=radius,dc=csctus,dc=net
objectclass: person
sn: replica
cn: replica
userPassword: replica



More information about the Freeradius-Users mailing list