freeradius + ldap

Ana Gallardo ana.gallardo.77 at gmail.com
Thu Dec 2 14:37:43 CET 2010 

Hello again. Ok, now I can authenticate an user using LDAP.

I'm using freeradius 2.1.10 and I want to use ldap like a backend in
> authorize section to take userPassword attribute (unix crypt) to
> authenticate the user.
>
My problem is: the ldap server don't have public key that an admin user (who
> bind) can take. So I have to bind in the authorize section with the user and
> password (clear text) in the request.
>
Is this posible?
>

I have read that this is not ok

http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg49993.html


> What are my posibilities?
>

I think that what I can do is:
- in authorize section bind like anonymous user and take the public
attributes that I need to authorize the user.
- in authenticate section bind like the user who want to access

The configuration that work:


LDAP MODULE

ldap ldapPerson{
   server = "xxx"
   basedn = "ou=people,dc=unex,dc=es"
   filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
   ldap_connections_number = 5
   timeout = 4
   timelimit = 3
   net_timeout = 1
   tls {
      start_tls = no
   }
   dictionary_mapping = ${confdir}/ldapPerson.attrmap
   edir_account_policy_check = no
   set_auth_type = yes
}

SERVER

server test{

authorize {
  suffix
  files
  ldapPerson
  expiration
  update control {
     Auth-Type := "LDAP"
  }
}

authenticate {
  Auth-Type LDAP {
    ldapPerson
  }
}

}

DEBUG


rad_recv: Access-Request packet from host x.x.x.x port 48259, id=145,
length=58
    User-Name = "aigallardo at unex.es"
    User-Password = "xxxx"
server test {
# Executing section authorize from file /etc/freeradius/sites-enabled/test
+- entering group authorize {...}
[suffix] Looking up realm "unex.es" for User-Name = "aigallardo at unex.es"
[suffix] Found realm "unex.es"
[suffix] Adding Stripped-User-Name = "aigallardo"
[suffix] Adding Realm = "unex.es"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[files] users: Matched entry DEFAULT at line 33
++[files] returns ok
[ldapPerson] performing user authorization for aigallardo
[ldapPerson]     expand: %{Stripped-User-Name} -> aigallardo
[ldapPerson]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=aigallardo)
[ldapPerson]     expand: ou=people,dc=unex,dc=es -> ou=people,dc=unex,dc=es
  [ldapPerson] ldap_get_conn: Checking Id: 0
  [ldapPerson] ldap_get_conn: Got Id: 0
  [ldapPerson] attempting LDAP reconnection
  [ldapPerson] (re)connect to x.x.x.x:389, authentication 0
  [ldapPerson] bind as / to x.x.x.x:389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
  [ldapPerson] performing search in ou=people,dc=unex,dc=es, with filter
(uid=aigallardo)
[ldapPerson] No default NMAS login sequence
[ldapPerson] looking for check items in directory...
[ldapPerson] looking for reply items in directory...
  [ldapPerson] gecos -> Nombre-Completo = "Ana-Isabel Gallardo Gomez..."
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldapPerson] user aigallardo authorized to use remote access
  [ldapPerson] ldap_release_conn: Release Id: 0
++[ldapPerson] returns ok
++[expiration] returns noop
++[control] returns noop
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/test
+- entering group LDAP {...}
[ldapPerson] login attempt by "aigallardo" with password "xxxx"
[ldapPerson] user DN: uid=aigallardo,ou=People,dc=unex,dc=es
  [ldapPerson] (re)connect to x.x.x.x:389, authentication 1
  [ldapPerson] bind as uid=aigallardo,ou=People,dc=unex,dc=es/xxxxx to
x.x.x.x:389
  [ldapPerson] waiting for bind result ...
  [ldapPerson] Bind was successful
[ldapPerson] user aigallardo authenticated succesfully
++[ldapPerson] returns ok
} # server test
Sending Access-Accept of id 145 to x.x.x.x port 48259
    Nombre-Completo = "Ana-Isabel Gallardo Gomez..."


I don't know if this is the best way to solve my problem, I someone have
something better, I would like to know.

Thank you very much and sorry for my english.



++ Ana Gallardo Gómez ++
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101202/2028cd31/attachment.html>

More information about the Freeradius-Users mailing list