2.0.5 - complex multi-ldap server, multi-branch authentication/authorization needed

Paul, Craig Allen paul at ku.edu
Fri Nov 14 20:35:06 CET 2008


We seek to take advantage of FreeRadius 2.0.5's ability to run multiple
virtual servers.
All our other servers are working except one, which has a complex
authentication.
 
As a stand-alone configuration this looks as follows:
 
################################################################
## MODULES CONFIGURATION                                      ##
################################################################
 
modules {
        ldap dirnet{
                server = "directory.sub.main.com"
                port = 389
                identity =
"cn=acsAgent,ou=agents,ou=network,dc=main,dc=com"
                password = xxxxxx
                basedn = "ou=network,dc=main,dc=com"
                filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
"
.
.
.
                groupmembership_filter =
"(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Nam
e:-%{User-Name}}*))
.
.
           }
 
        ldap dirnode{
                server = "directory.main.com"
                port = 389
                identity = "cn=wireless-agent,ou=agents,ou=Academic
Computing,ou=units,dc=main,dc=com"
                password = yyyyyyyyyyy
                basedn = "dc=main,dc=com"
                filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
"
                groupmembership_filter =
"(&(objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-Us
er-Name:-%{User-Name}}*))
                groupmembership_attribute = eduPersonEntitlement
                groupname_attribute = eduPersonEntitlement
                access_attr = uid
.
.
.
        }
 
server {
authenticate {
        ## Use LDAP Authentication
        Auth-Type DIRNODE {
               dirnode
        }
        Auth-Type DIRNET {
                dirnet
        }
 
}
 
authorize {
        ## Use LDAP Authorization via files config in 'users'
        files
}
 
And the users file looks like
 

DEFAULT dirnet-Ldap-Group ==
"cn=AuthorizedGuestVendorMAINAnywhereUsers,ou=IT,ou=groups,ou=network,dc
=main,dc=com", Auth-Type := DIRNET
        Class =
"%{dirnet:ldap:///ou=authaccounts,ou=network,dc=main,dc=com?eduPersonEnt
itlement?sub?uid=%{User-Name}",   
        Fall-Through = no
 
DEFAULT dirnet-Ldap-Group ==
"cn=VPNPHONES,ou=IT,ou=groups,ou=network,dc=main,dc=com", Auth-Type :=
DIRNET
        Class = "urn:mace:main.com:RINGS:group:main_anywhere:vpnphone",
        Fall-Through = no
 
DEFAULT User-Profile :=
"uid=%{Stripped-User-Name:-%{User-Name}},ou=authaccounts,dc=main,dc=com"
, Auth-Type := DIRNODE
        Class =
"%{dirnode:ldap:///ou=authaccounts,dc=main,dc=com?eduPersonEntitlement?s
ub?uid=%{User-Name}",
        Fall-Through = no
 
DEFAULT Auth-Type := REJECT
        Reply-Message = "User Login Rejected"
 
--------------------------
 
I've gotten as far as:
 
modules {
## LDAP Server configuration
ldap {
}
        ## LDAP User-to-Group mapping
        files {
                usersfile = ${confdir}/guest_vendor_mainanywhere_users
                acctusersfile = /dev/null
                preproxy_usersfile = /dev/null
                compat = no
        }
}
authenticate {
        ## Use LDAP Authentication  (entry in modules/ldap)
        Auth-Type LDAP {
                dirnode
        }
        Auth-Type LDAP {
                dirnet
        }
}
 
authorize {
        ## Use LDAP Authorization via files config in 'users' (entry in
modules/
ldap)
        dirnode
        dirnet
}
 
and the ldap file entries as
 
ldap dirnet {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
                server = "directory.sub.main.com"
                port = 389
                identity =
"cn=acsAgent,ou=agents,ou=network,dc=main,dc=com"
                password = xxxxxx 
                basedn = "ou=network,dc=main,dc=com"
                filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
"
.
.
.
                groupmembership_filter =
"(&(objectClass=GroupOfUniqueNames)(uniquemember=uid=%{Stripped-User-Nam
e:-%{User-Name}}*))
.
.
           }
 
ldap dirnode{
 
                server = "directory.main.com"
                port = 389
                identity = "cn=wireless-agent,ou=agents,ou=Academic
Computing,ou=units,dc=main,dc=com"
                password = yyyyyyyyyyy
                basedn = "dc=main,dc=com"
                filter =
"(&(objectclass=kuAuthAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
"
                groupmembership_filter =
"(&(objectClass=kuAuthAccount)(eduPersonEntitlement=*)(uid=%{Stripped-Us
er-Name:-%{User-Name}}*))
                groupmembership_attribute = eduPersonEntitlement
                groupname_attribute = eduPersonEntitlement
                access_attr = uid 
.
.
.
        }
 
with the users file intact
 
Any suggestions as to how to configure, especially the "authorize"
section to allow trying both dirnode and dirnet would be welcome.
(As it is now, dirnode auth works, but dirnet doesn't.)
 
Thank you!
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081114/1ce684dc/attachment.html>


More information about the Freeradius-Users mailing list