Configure authentication via LDAP Group membership issue [sec=unclassified]

Ranner, Frank MR Frank.Ranner at defence.gov.au
Wed Oct 31 01:20:36 CET 2007 

_______________________________

	From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of
David Hobley
	Sent: Wednesday, 31 October 2007 10:50
	To: FreeRadius users mailing list
	Subject: Re: Configure authentication via LDAP Group membership
issue
	
	
	All,
	
	I have still not been able to find a solution for this, it looks
like I might be able to use an xlat rule for it, but I can't get my head
around how to write it. Can anyone point me to suitable documentation
for xlat - while I have read all the docco that comes with the
FreeRadius (in /usr/share) I am missing something in order to apply it.
	
	Cheers,
	David
	----- Original Message -----
	From: "David Hobley" <david.hobley at mionegroup.com>
	To: freeradius-users at lists.freeradius.org
	Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000)
Australia/Brisbane
	Subject: Configure authentication via LDAP Group membership
issue
	
	
	I have set up a VPN pointing to a FreeRadius server and have it
	authenticating successfully against my LDAP server, but I would
also like to
	limit access to only those people who are a member of the VPN
group.
	
	Normally, this would be simple, but because of the LDAP server I
am using,
	the hierarchy looks like this:
	
	User Account:
	
	ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN"
"(uid=firstname.lastname)"
	dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
	uidNumber: 1024
	...
	
	Group entry is:
	
	ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)"
	dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
	memberUid: 1024
	...
	
	So I need to somehow configure Radius to search on me, get my
uidNumber and
	then search on the group. If I skip the searching to get the
uidNumber, I
	can configure the Radius (for this single account) correctly:
	
	In the ldap module I include:
	                ...
	                groupname_attribute = cn
	                groupmembership_filter = "(memberUid=1024)"
	with the following entry in the users file:
	
	DEFAULT Auth-Type = LDAP
	        Fall-Through = 1
	
	DEFAULT LDAP-Group == "VPN Users"
	        Service-Type = Administrative-User
	
	and this works as expected, but is there any way I can
substitute the 1024
	for an ldap search result so I can dynamically return the
uidNumber for the
	%{User-Name} field?
	
	Thanks!
	
	Cheers,
	David
	
	
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
"(memberUid=%{User-Name})" or more robustly, 
groupmembership_filter =
"(&(memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou
p))"

Regards,
Frank Ranner

More information about the Freeradius-Users mailing list