radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]
Riccardo Veraldi
Riccardo.Veraldi at cnaf.infn.it
Fri May 23 16:29:42 CEST 2008
i tryed to set
access_attr = "uid"
access_attr_used_for_allow = yes
but still authentication is succesful using EAP-TLS even if user is not
in LDAP Directory.
any hints ?
thanks
Rick
Riccardo Veraldi ha scritto:
> ok changing the ldap filter everything seems to work and I am authorized.
>
> but if the user is not found in LDAP it is authorized anyway and
> authenticated at the end
>
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
>
> Login OK: [Riccardo.Veraldi at city.myorg.it] (from client ciscoap3 port
> 273 cli 001e.5271.e700)
>
> iI would like the login to fail.
> Basically I Want to check against certificate subject and allow or not
> allow users to get access to WiFi.
>
> ho can I configure freeradius to drop users not recognized inside ldap ?
>
> thanks
>
> Rick
>
>
>
>
>
>
>
> Ranner, Frank MR ha scritto:
>> UNCLASSIFIED
>>
>>
>>> -----Original Message-----
>>> From: freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
>>>
>> eradius.org [mailto:freeradius-users->
>> bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On
>>> Behalf Of Riccardo Veraldi
>>> Sent: Friday, 23 May 2008 16:43
>>> To: FreeRadius users mailing list
>>> Subject: Re: radius x509 authentication + LDAP ?
>>>
>>>
>>> I have this problem.
>>>
>>> if I authenticate with EAP-TLS (I am using Max OS X 10.5 as supplicant)
>>>
>>> my email address is extracted in some way as the user name.
>>> the uid is recognized as the parte before the "@" so my real
>>> username in LDAP (which is different)
>>> is not recognized as a valid user.
>>>
>>> Neverless I am authenticated anyway.
>>>
>>> So I have a doulbe problem
>>>
>>> 1) How to check against LDAP correctly, thus extracting my correct
>>> username from email address
>>> upon radius authorization request to ldap.
>>>
>>> 2) if a user is not found how to drop it, avoiding radius
>>> authorization to take place
>>>
>>> rlm_ldap: performing user authorization for Riccardo.Veraldi
>>> radius_xlat: '(uid=Riccardo.Veraldi)'
>>> radius_xlat: 'ou=people,o=city,o=myorg,c=it'
>>> rlm_ldap: ldap_get_conn: Checking Id: 0
>>>
>>
>> Does the string Riccardo.Veraldi exist in another attribute, like CN or
>> Mail?
>>
>> If so change your filter:
>>
>> filter =
>> "(|(cn=%{User-Name})(uid=%{User-Name})(mail=%{User-Name}@city.myorg.it))
>> "
>>
>> Provided that the record is located, radius will use the dn of the
>> record to authenticate.
>>
>> I don't know why failed ldap lookups aren't rejecting the request. Maybe
>> you don't have ldap block in the authenticate section.
>>
>> Regards,
>> Frank Ranner
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list