radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]
Riccardo Veraldi
Riccardo.Veraldi at cnaf.infn.it
Fri May 23 11:51:21 CEST 2008
ok changing the ldap filter everything seems to work and I am authorized.
but if the user is not found in LDAP it is authorized anyway and
authenticated at the end
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
Login OK: [Riccardo.Veraldi at city.myorg.it] (from client ciscoap3 port
273 cli 001e.5271.e700)
iI would like the login to fail.
Basically I Want to check against certificate subject and allow or not
allow users to get access to WiFi.
ho can I configure freeradius to drop users not recognized inside ldap ?
thanks
Rick
Ranner, Frank MR ha scritto:
> UNCLASSIFIED
>
>
>> -----Original Message-----
>> From:
>> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
>>
> eradius.org [mailto:freeradius-users->
> bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On
>
>> Behalf Of Riccardo Veraldi
>> Sent: Friday, 23 May 2008 16:43
>> To: FreeRadius users mailing list
>> Subject: Re: radius x509 authentication + LDAP ?
>>
>>
>> I have this problem.
>>
>> if I authenticate with EAP-TLS (I am using Max OS X 10.5 as
>> supplicant)
>>
>> my email address is extracted in some way as the user name.
>> the uid is recognized as the parte before the "@" so my real
>> username in
>> LDAP (which is different)
>> is not recognized as a valid user.
>>
>> Neverless I am authenticated anyway.
>>
>> So I have a doulbe problem
>>
>> 1) How to check against LDAP correctly, thus extracting my correct
>> username from email address
>> upon radius authorization request to ldap.
>>
>> 2) if a user is not found how to drop it, avoiding radius
>> authorization
>> to take place
>>
>> rlm_ldap: performing user authorization for Riccardo.Veraldi
>> radius_xlat: '(uid=Riccardo.Veraldi)'
>> radius_xlat: 'ou=people,o=city,o=myorg,c=it'
>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>
>
> Does the string Riccardo.Veraldi exist in another attribute, like CN or
> Mail?
>
> If so change your filter:
>
> filter =
> "(|(cn=%{User-Name})(uid=%{User-Name})(mail=%{User-Name}@city.myorg.it))
> "
>
> Provided that the record is located, radius will use the dn of the
> record to authenticate.
>
> I don't know why failed ldap lookups aren't rejecting the request. Maybe
> you don't have
> ldap block in the authenticate section.
>
> Regards,
> Frank Ranner
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list