Groups in active directory and checks in MySQL

Atomikramp atomikramp at email.it
Fri Aug 23 18:00:39 CEST 2013


Hello everyone,


i know this might be considered a bizarre situation but well... i was just
wondering if it's possible to do such a thing.


 


I'm in a situation now where i can successfully retrieve group membership of
users in the active directory LDAP tree using rlm_ldap, and check them
against files.


 


so if i have a user with "memberOf" attribute set to groupA


and i set in the raddb/users the following entry:


 


DEFAULTLdap-Group == "groupA", Auth-Type := Reject


Reply-Message = "Not Allowed."


 


i successfully deny access to that user.


 


Since i'm already using MySQL for storing accounting informations i was
really interested in being able to use the same backend (mysql) also for
performing checks against groups.


 


If i perform checks against usernames using the table radcheck they work
properly (users retrieved from the LDAP backend), i've tried setting a
radcheck like the following:


userA Max-Daily-Session := 7200


 


and after 2 hours the user is unable to authenticate to the NAS because the
time allowed has expired.


 


 


But i cant seem to be able to do the same thing with the groups.


 


i've configured sites-enabled/default like this:


 


authorize {


preprocess


auth_log


chap


mschap


digest


suffix


eap {


ok = return


}


files


ldap


sql


expiration


logintime


pap


dailycounter


}


 


authenticate {


Auth-Type PAP {


pap


}


 


Auth-Type CHAP {


chap


}


 


Auth-Type MS-CHAP {


mschap


}


 


digest


unix


 


Auth-Type LDAP {


ldap


}


 


eap


}


 


preacct {


preprocess


acct_unique


suffix


files


}


 


accounting {


detail


sql


}


 


session {


radutmp


}


 


 


post-auth {


ldap


exec


Post-Auth-Type REJECT {


# log failed authentications in SQL, too.


attr_filter.access_reject


}


}


 


pre-proxy {


}


 


post-proxy {


eap


}


 


radiusd.conf like this


prefix = /usr


exec_prefix = /usr


sysconfdir = /etc


localstatedir = /var


sbindir = ${exec_prefix}/sbin


logdir = /var/log/freeradius


raddbdir = /etc/freeradius


radacctdir = ${logdir}/radacct


 


name = freeradius


 


confdir = ${raddbdir}


run_dir = ${localstatedir}/run/${name}


 


db_dir = ${raddbdir}


 


libdir = /usr/lib/freeradius


 


pidfile = ${run_dir}/${name}.pid


 


user = freerad


group = freerad


 


max_request_time = 30


 


cleanup_delay = 5


 


max_requests = 1024


 


listen {


type = auth


ipaddr = *


port = 0


}


 


listen {


ipaddr = *


port = 0


type = acct


}


 


hostname_lookups = no


 


allow_core_dumps = no


 


regular_expressions= yes


extended_expressions= yes


 


log {


destination = files


file = ${logdir}/radius.log


syslog_facility = daemon


stripped_names = no


auth = no


auth_badpass = no


auth_goodpass = no


}


 


checkrad = ${sbindir}/checkrad


 


security {


max_attributes = 200


reject_delay = 1


status_server = yes


}


 


proxy_requests  = yes


$INCLUDE proxy.conf


 


$INCLUDE clients.conf


 


thread pool {


start_servers = 5


max_servers = 32


min_spare_servers = 3


max_spare_servers = 10


max_requests_per_server = 0


}


 


modules {


$INCLUDE ${confdir}/modules/


$INCLUDE eap.conf


$INCLUDE sql.conf


$INCLUDE sql/mysql/counter.conf


}


 


instantiate {


exec


expr


expiration


logintime


}


 


and sql.conf


 


sql {


        database = "mysql"


        driver = "rlm_sql_${database}"


        server = "localhost"


        #port = 3306


        login = "radius"


        password = "<removed>"


        radius_db = "radius"


        acct_table1 = "radacct"


        acct_table2 = "radacct"


        postauth_table = "radpostauth"


        authcheck_table = "radcheck"


        authreply_table = "radreply"


        groupcheck_table = "radgroupcheck"


        groupreply_table = "radgroupreply"


        usergroup_table = "radusergroup"


        deletestalesessions = yes


        sqltrace = no


        sqltracefile = ${logdir}/sqltrace.sql


        num_sql_socks = 5


        connect_failure_retry_delay = 60


        lifetime = 0


        max_queries = 0


        nas_table = "nas"


        $INCLUDE sql/${database}/dialup.conf


        $INCLUDE sql/${database}/counter.conf


}


 


any help is really welcome.


thanks and sorry if i couldn't explain myself properly please correct me.


 


 
 --
 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
 
 Sponsor:
 SUPERMARIO: Acquista Peluche e T-shirt Originali su mistercupido.com
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12899&d=20130823


 
 
 --
 Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f
 
 Sponsor:
 SIMPSON: Acquista Peluche, Gadget e Abbigliamento Originale su mistercupido.com
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12901&d=23-8
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130823/cd084f96/attachment.html>


More information about the Freeradius-Users mailing list