Freeradius, EAP-PEAP, LDAP and users file...
Marco Gaiarin
gaio at sv.lnf.it
Wed Apr 2 18:02:41 CEST 2008
[i'm not subscribed to this list, so, please, put me on CC]
I've just setup a 'test installation' of freeradius in a debian etch
box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS).
In my environments there's ever a LDAP server that serve, among other
thinks, also a samba3 server using standard stuff (smbldap-tools, ...).
Clearly my users are mostly (ahem, totally ;( ) windows XPsp2.
Firstly i've setup all the stuff using winbind/ntlm_auth to do the
MS-CHAP auth, but because i know that in LDAP the NT-Password hare
simply stored, and looking at the (deprecated) /etc/smbpasswd module
with the aid of some google, i've finally reached a good (for me)
working point: ldap module extract NT-Password and give it to mschap
module for authentication, with the bonus of group filtering, all in
LDAP (i've disabled 'unix')...
The strange, the only strangeness i've found, are that i was forced to
insert an explicitly 'deny' rule in users file, eg my users are:
DEFAULT Service-Type == Framed-User, Ldap-Group == "ced"
DEFAULT Service-Type == Framed-User, Ldap-Group == "diramm"
DEFAULT Service-Type == Framed-User, Ldap-Group == "ricerca"
DEFAULT Service-Type == Framed-User, Ldap-Group == "*", Auth-Type := Reject
Reply-Message = "Gruppo non autorizzato"
if i remove the last entry, user got authenticated.
But users file was 'no match, no party'? What i'm missing?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
More information about the Freeradius-Users
mailing list