one RADIUS server per realm setup
Wm. Josiah Erikson
wjerikson at hampshire.edu
Tue Jan 29 23:02:22 CET 2008
I appear to have gotten this working by adding the following to my
authorize {} section:
if (Realm == "localdomain.edu") {
files
ldap
}
Obviously removing the reference to "files" and "ldap" from elsewhere in
the authorize section. Then I do LDAP group checking in the users file
like this:
# Allow Students
DEFAULT Ldap-Group == 30
# ...and Staff
DEFAULT Ldap-Group == 40
# ...and Faculty
DEFAULT Ldap-Group == 50
# ...and nobody else!
DEFAULT Auth-Type := Reject
Reply-Message = "Only current faculty, staff or students
are allowed to log in."
...and in radiusd.conf, the following non-default config in the ldap
section to establish how to find Ldap-Group:
base_filter = "(objectclass=posixAccount)"
groupname_attribute = gidNumber
groupmembership_filter =
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name}))"
groupmembership_attribute = gidNumber
And then I have set up my proxy hosts for other realms (domains) in
proxy.conf
This seems to accomplish what I want, which is to check LDAP groups
during authorization only if the realm is local.
I'm not sure what the syntax rules for the authorize{} section of the
config files are; I was unable to find any description in the docs of
how one goes about figuring out how to write these conditional
statements. What language is it? It seems C-like, but only kindof. Did I
miss this in the documentation? And the only way I could tell that I
could use the variable "Realm" is because it was in the debugging output
of freeradius. I couldn't find a list of available variables on the
wiki, other than
http://wiki.freeradius.org/Run-time_variables#Conditional_syntax , which
is very incomplete non self-explanatory.
I'm just confused as to how I was supposed to figure all this out
without doing what I did, which was bang my head against the wall for a
long time. I kinda figured there was some default way I was supposed to
be doing what I was doing, but I gave up and did what feels like a
"hack" to me. Is it OK? Am I missing a clear place where all of this is
described?
This is a fabulous piece of software, and I appreciate its license, its
functionality, and its highly-configurable nature, I just feel like I'm
missing something :)
All the best,
-Josiah
Wm. Josiah Erikson wrote:
> I see. I can, indeed, remove Auth-Type := LDAP from the users file and
> it still works. Cool!
>
> However, the behavior described in the documentation is not what I'm
> seeing, and I'm still getting (contrary to what I said in my previous
> email) authorization requests not being proxied, even though I have,
> in my authorize section, the "suffix" directive previous to "files"
> and "ldap", which is where I check the LDAP group....
>
> If my realm is @hampshire.edu, everything works as I want it to,
> because it doesn't proxy. But when I try to authenticate as a fake
> user in my test proxy realm (I just want to see it try to proxy), it
> looks in the local LDAP database! Huh? It says it's preparing to proxy
> <authentication>, as it should... how do I make it either proxy
> authorization as well, or skip authorization for non-local domains?
> How should I go about this?
>
> I must be misunderstanding something. I don't want it to do anything
> locally if I've set it to proxy! I get the following relevant output
> from freeradius -X:
>
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Ready to process requests.
> rad_recv: Access-Request packet from host 127.0.0.1 port 34022,
> id=118, length=66
> User-Name = "dude at testdomain.edu"
> User-Password = "passwowrd"
> NAS-IP-Address = 172.20.66.104
> NAS-Port = 1
> +- entering group authorize
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> rlm_realm: Looking up realm "testdomain.edu" for User-Name =
> "dude at testdomain.edu"
> rlm_realm: Found realm "testdomain.edu"
> rlm_realm: Adding Stripped-User-Name = "dude"
> rlm_realm: Proxying request from user dude to realm testdomain.edu
> rlm_realm: Adding Realm = "testdomain.edu"
> rlm_realm: Preparing to proxy authentication request to realm
> "testdomain.edu"
> ++[suffix] returns updated
> ++[unix] returns notfound
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu
> expand: (uid=%{Stripped-User-Name}) -> (uid=dude)
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to ldap.hampshire.edu:389, authentication 0
> rlm_ldap: bind as uid=tu, ou=account, dc=hampshire, dc=edu/tp to
> ldap.hampshire.edu:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=hampshire, dc=edu, with filter
> (uid=dude)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap::ldap_groupcmp: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu
> expand: (uid=%{Stripped-User-Name}) -> (uid=dude)
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=hampshire, dc=edu, with filter
> (uid=dude)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap::ldap_groupcmp: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap: Entering ldap_groupcmp()
> expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu
> expand: (uid=%{Stripped-User-Name}) -> (uid=dude)
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=hampshire, dc=edu, with filter
> (uid=dude)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap::ldap_groupcmp: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> users: Matched entry DEFAULT at line 219
> ++[files] returns ok
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for dude
> expand: (uid=%{Stripped-User-Name}) -> (uid=dude)
> expand: dc=hampshire, dc=edu -> dc=hampshire, dc=edu
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=hampshire, dc=edu, with filter
> (uid=dude)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns notfound
> Found Post-Auth-Type Reject
> +- entering group REJECT
> expand: %{User-Name} -> dude at testdomain.edu
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] returns updated
> Delaying reject of request 0 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 0
> Sending Access-Reject of id 118 to 127.0.0.1 port 34022
> Reply-Message = "Only current faculty, staff or students are
> allowed to log in."
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 118 with timestamp +2
> Ready to process requests.
>
>
>
> Alan DeKok wrote:
>> Wm. Josiah Erikson wrote:
>>
>>> # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
>>> # really can't emphasize this enough.
>>>
>>> Uh. OK. That's exactly what I'm doing, and it's working :)
>>
>> Then it works. It's fine.
>>
>> That message is for the majority of people who force LDAP to be used
>> for authentication, and the wonder why EAP doesn't work.
>>
>> Remember: LDAP is a database. It's not an authentication server.
>>
>>
>>> However, is there a better way to do this that I'm not understanding?
>>> Why shouldn't I set Auth-Type := LDAP ?
>>>
>>
>> You probably don't need to set it. If you simply deleted that from
>> the "users" file, your configuration would probably still work.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
--
Wm. Josiah Erikson
Computing Support
School of Cognitive Science
Hampshire College
Amherst, MA 01002
(413) 559-6091
More information about the Freeradius-Users
mailing list