Help with LDAP groupOfNames?
Jason Antman
jason at jasonantman.com
Tue Apr 7 21:44:26 CEST 2009
Sorry to re-post, but I'm still banging my head against the wall with
this... If anyone could help, or provide a pointer to something that
(obviously) I'm missing, it would be greatly appreciated.
Hi,
I've googled this to no avail (have been working on it for about 4 hours
now). I'm running FreeRADIUS 1.1.0 (SuSE package) and OpenLDAP 2.3.19. I
have an access point that will do captive portal, but only via RADIUS,
not via LDAP natively. I already have an LDAP server running, so I just
added a new groupOfNames called "WirelessUsers".
Basically, *all* I want RADIUS to do is check the username and password,
and assuming they are correct, either allow or deny based on whether the
user is a member of "WirelessUsers". According to radtest, I have it
working with LDAP, but it allows everyone with a valid username and
password access, regardless of the WirelessUsers group - and I'm not
seeing anything related to that group in the LDAP logs.
I can't seem to find anything online for freeradius1 relating to
groupOfNames, so I've just been trying random things that I found online
(for raddb/users) hoping one would work.
radiusd.conf:
ldap {
server = "127.0.0.1"
basedn = "dc=example,dc=com"
filter =
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
groupmembership_attribute = "memberof"
timeout = 4
timelimit = 3
net_timeout = 1
}
users:
#DEFAULT Auth-Type == LDAP
# Fall-Through = Yes
DEFAULT LDAP-Group == "WirelessUsers"
Auth-Type := Reject
#DEFAULT Ldap-Group != "WirelessUsers", Auth-Type := Reject
# Reply-Message = "Sorry, your account has not yet been enabled for
wireless access."
#DEFAULT Huntgroup-Name == "wirelessusers",
Ldap-Group=="WirelessUsers", Auth-Type = LDAP
#DEFAULT Auth-Type := Reject
#DEFAULT Ldap-Group == "WirelessUsers"
# Fall-Through = no
DEFAULT Ldap-Group == WirelessUsers
Fall-Through = no
DEFAULT Auth-Type := Reject
I've tried all of the commented out stuff also, and none of it worked.
All I want is (assuming username & password are correct) allow anyone
who is in "WirelessUsers" group, deny everyone else.
I'm sure this is horribly simple, but I just can't seem to figure it out
from the docs or from extensive googling.
Thanks for any help,
Jason Antman
More information about the Freeradius-Users
mailing list