OpenDirectory VLAN Assignment by Group
Theparanoidone Theparanoidone
theparanoidone at yahoo.com
Tue Aug 21 11:07:39 CEST 2012
Hi Alan~
>> You already said you are now running 2.1.12. Why are you repeating yourself? Do you think we're stupid, and we don't understand your messages? What version WERE you using before this? I asked, and you didn't say that.
Current: radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0, built on Jun 20 2012 at 16:50:26 (Mountain Lion)
Previous: radiusd: FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0, built on Apr 11 2011 at 17:19:07 (Snow Leopard)
> DEFAULT Group-Name == "testgroup"
>
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-Id = "101",
> Fall-Through = no
> You do realize that format is incorrect, right? The extra blank line is wrong.
Do to email pasting mistake. Actual config does not have blank line.
> You already said that. Why are you repeating yourself? I didn't ask for this debug output. I didn't suggest you were lying about it. You already said REPEATEDLY that "it works with User-Name". Maybe you think it's helpful to repeat yourself, and post enough useless output? The problem here is NOT that something changed. The problem is that YOU are REFUSING to find out what changed. YOU are REFUSING to use simple debugging methods to track down what changed.
Only tried to re-state the issue more clearly as I assumed my explanation was unclear. I have no doubt that this forum knows far more about freeradius than I do.
I realize the explanation "nothing changed / it doesn't work" get's old... but I don't know what to tell you. I'm assuming that the Group-Name field is not being set anymore via the OpenDirectory module included in Apple's latest freeradius deployment? maybe so, maybe not? (I don't know)
In the meantime... assuming the group is no longer passed back via OpenDirectory... I've attempted to perform an LDAP query via the authorize section /etc/raddb/sites-enabled/default to help retrieve the Group-Name.
I have now made the following modifications:
####################
/etc/raddb/sites-enabled/default
####################
authorize {
...
# uncomment ldap
ldap
...
}
####################
/etc/raddb/modules/ldap
####################
ldap {
...
server = "myserver.mydomain.com"
basedn = "dc=myserver,dc=mydomain,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=posixAccount)"
...
groupname_attribute = cn
groupmembership_filter = "(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})"
...
ldap_debug = 0x0028
...
}
####################
/etc/raddb/users
####################
...
DEFAULT Ldap-Group == "testgroup"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = "101",
Fall-Through = no
DEFAULT Ldap-Group == "testgroup2"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = "102",
Fall-Through = no
Preliminary testing of the above appears to work. The server appears to allow authentication via OpenDirectory, and group VLAN tagging via LDAP queries to OpenDirectory for group membership tracking. I will continue to test.
I realize that the Apple platform for freeradius probably represents a minority user base. My hope is that anyone else encountering a similar issue may be helped by these posts. We have found that Apple's default OpenDirectory/OpenLDAP attribute mappings for memberUid (and etc) are slightly different than other linux distributions (so perhaps someone else can benefit from the rough draft above).
Feedback and questions are welcome if any of the above configurations look blatantly wrong or could be made better. I appreciate the help and patience.
More information about the Freeradius-Users
mailing list