Freeradius 1.X.X and LDAP groups.

Michael March mmarch at gmail.com
Wed Sep 9 08:17:02 CEST 2009 

The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm
trying to get authentication working so FreeRadius will authenticate a
user OLNY if they are in a certain LDAP group.. In this case that
group is called 'it'.

Where I am at now is if the user is in or out of the 'it' group the
authentication goes through ok (depending if the password is correct,
of course). I would like the authenication to fail if the password is
correct BUT the user is not in a certain ('it') group.

Here are my configs snippets:

========= /etc/raddb/users ===========


DEFAULT Auth-Type = LDAP
        Fall-Through = 1

DEFAULT LDAP-Group == it
        Service-Type = Administrative-User


========= /etc/raddb/radiusd.conf ===========

      ldap {
                server = "192.168.150.140"
                identity = "uid=admin,ou=People,dc=acme,dc=com"
                password = "BadPass"
                basedn = "dc=acme,dc=com"
                filter = "(uid=%u)"
                # base_filter = "(objectclass=radiusprofile)"

                start_tls = no

                # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
                # profile_attribute = "radiusProfileDn"
                access_attr = uid

                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                groupname_attribute = cn
                groupmembership_filter =
"(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"
                groupmembership_attribute = it
                timeout = 4
                timelimit = 3
                net_timeout = 1
                compare_check_items = yes
                # do_xlat = yes
                access_attr_used_for_allow = yes
        }


====== Output when user is OUT of the 'it' group ======

rad_recv: Access-Request packet from host 127.0.0.1:32770, id=213, length=59
    User-Name = "vpntest"
    User-Password = "ChangeMeToo"
    NAS-IP-Address = 255.255.255.255
    NAS-Port = 10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "vpntest", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 1
    users: Matched entry DEFAULT at line 152
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=acme,dc=com'
radius_xlat:  '(uid=vpntest)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=acme,dc=com, with filter (uid=vpntest)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=acme,dc=com, with filter
(&(cn=it)(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in uid=vpntest,ou=People,dc=acme,dc=com,
with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 1
rlm_ldap: - authenticate
rlm_ldap: login attempt by "vpntest" with password "ChangeMeToo"
rlm_ldap: user DN: uid=vpntest,ou=People,dc=acme,dc=com
rlm_ldap: (re)connect to 192.168.150.140:389, authentication 1
rlm_ldap: bind as uid=vpntest,ou=People,dc=acme,dc=com/ChangeMeToo to
192.168.150.140:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user vpntest authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 1
modcall: leaving group LDAP (returns ok) for request 1
Sending Access-Accept of id 213 to 127.0.0.1 port 32770
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 213 with timestamp 4aa7438c
Nothing to do.  Sleeping until we see a request.



====== Output when user is IN of the 'it' group ======

rad_recv: Access-Request packet from host 127.0.0.1:32770, id=220, length=59
    User-Name = "vpntest"
    User-Password = "ChangeMeToo"
    NAS-IP-Address = 255.255.255.255
    NAS-Port = 10
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "vpntest", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 2
    users: Matched entry DEFAULT at line 152
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'dc=acme,dc=com'
radius_xlat:  '(uid=vpntest)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=acme,dc=com, with filter (uid=vpntest)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=acme,dc=com, with filter
(&(cn=it)(&(objectClass=GroupOfNames)(member=uid\3dvpntest\2cou\3dPeople\2cdc\3dacme\2cdc\3dcom)))
rlm_ldap::ldap_groupcmp: User found in group it
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 155
  modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type LDAP
auth: type "LDAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group LDAP for request 2
rlm_ldap: - authenticate
rlm_ldap: login attempt by "vpntest" with password "ChangeMeToo"
rlm_ldap: user DN: uid=vpntest,ou=People,dc=acme,dc=com
rlm_ldap: (re)connect to 192.168.150.140:389, authentication 1
rlm_ldap: bind as uid=vpntest,ou=People,dc=acme,dc=com/ChangeMeToo to
192.168.150.140:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: user vpntest authenticated succesfully
  modcall[authenticate]: module "ldap" returns ok for request 2
modcall: leaving group LDAP (returns ok) for request 2
Sending Access-Accept of id 220 to 127.0.0.1 port 32770
    Service-Type = Administrative-User
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 220 with timestamp 4aa743f8
Nothing to do.  Sleeping until we see a request.

More information about the Freeradius-Users mailing list