Howto group Users authenticated with ldap

Mischa Diehm mischa.diehm at unibas.ch
Tue Mar 18 08:00:04 CET 2014


Hi


From: Alan DeKok <aland at deployingradius.com<mailto:aland at deployingradius.com>>
Reply-To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Date: Montag, 17. März 2014 23:22
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org<mailto:freeradius-users at lists.freeradius.org>>
Subject: Re: Howto group Users authenticated with ldap

Mischa Diehm wrote:
added the rlm_passwd (btw. there is a small typo in rlm_files in the
Description section when referencing rlm_passwd (it says rlm_passed)) to

  I've fixed that, thanks.

and it actually does get added. From debug output:
Mon Mar 17 09:02:05 2014 : Info: [groups] Added My-Group: 'testop' to
config_items

  That's good.

my problem is this Attribute seems not to match in the users file where I
have this line:
DEFAULT Auth-Type := LDAP, My-Group == testop, Huntgroup-Name == cyclades
Service-Type = Administrative-User,
Framed-Filter-Id = ":group_name=admin;",
from the -X debug output:
Mon Mar 17 14:42:34 2014 : Info: [groups] Added My-Group: 'testop' to
config_items
but files says:
Mon Mar 17 14:42:34 2014 : Info: [files] users: Matched entry DEFAULT at
line 181
Mon Mar 17 14:42:34 2014 : Info: ++[files] returns ok

  Are you listing "groups" *before* "files" ?

Yes I placed it right under "unix". So this is what I got:


authorize {

        preprocess

        chap

        mschap


        suffix


        unix

        #enable rlm_passwd for groups

        groups


        #  Read the 'users' file

        files


        #  The ldap module will set Auth-Type to LDAP if it has not

        #  already been set

        ldap


        pap


        expiration

        logintime

}


authenticate {

        Auth-Type PAP {

                pap

        }


        Auth-Type CHAP {

                chap

        }


        Auth-Type MS-CHAP {

                mschap

        }


        unix


        # Note that this means "check plain-text password against

        # the ldap database", which means that EAP won't work,

        # as it does not supply a plain-text password.

        Auth-Type LDAP {

                ldap

        }

}


I run on this system:

07:43:31 root at netgw:radius# uname -a

OpenBSD netgw.urz.unibas.ch 5.4 GENERIC#37 i386


With these versions:

07:45:39 root at netgw:radius# pkg_info | grep freeradius

freeradius-2.2.0p2  RADIUS server implementation

freeradius-ldap-2.2.0p1 freeradius ldap rlm addon



That's the debug output I get:


Tue Mar 18 07:34:34 2014 : Debug:     (Loaded rlm_passwd, checking if it's valid)

Tue Mar 18 07:34:34 2014 : Debug:  Module: Linked to module rlm_passwd

Tue Mar 18 07:34:34 2014 : Debug:  Module: Instantiating module "groups" from file /etc/raddb/radiusd.conf

Tue Mar 18 07:34:34 2014 : Debug:   passwd groups {

Tue Mar 18 07:34:34 2014 : Debug:       filename = "/etc/raddb/groups"

Tue Mar 18 07:34:34 2014 : Debug:       format = "My-Group:*,User-Name"

Tue Mar 18 07:34:34 2014 : Debug:       delimiter = ":"

Tue Mar 18 07:34:34 2014 : Debug:       ignorenislike = yes

Tue Mar 18 07:34:34 2014 : Debug:       ignoreempty = yes

Tue Mar 18 07:34:34 2014 : Debug:       allowmultiplekeys = yes

Tue Mar 18 07:34:34 2014 : Debug:       hashsize = 50

Tue Mar 18 07:34:34 2014 : Debug:   }

Tue Mar 18 07:34:34 2014 : Debug: rlm_passwd: nfields: 2 keyfield 1(User-Name) listable: yes

Tue Mar 18 07:34:34 2014 : Debug:     (Loaded rlm_files, checking if it's valid)

Tue Mar 18 07:34:34 2014 : Debug:  Module: Linked to module rlm_files

Tue Mar 18 07:34:34 2014 : Debug:  Module: Instantiating module "files" from file /etc/raddb/radiusd.conf

Tue Mar 18 07:34:34 2014 : Debug:   files {

Tue Mar 18 07:34:34 2014 : Debug:       usersfile = "/etc/raddb/users"

Tue Mar 18 07:34:34 2014 : Debug:       acctusersfile = "/etc/raddb/acct_users"

Tue Mar 18 07:34:34 2014 : Debug:       preproxy_usersfile = "/etc/raddb/preproxy_users"

Tue Mar 18 07:34:34 2014 : Debug:       compat = "no"

Tue Mar 18 07:34:34 2014 : Debug:   }


...


Tue Mar 18 07:34:42 2014 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default

Tue Mar 18 07:34:42 2014 : Info: +- entering group authorize {...}

Tue Mar 18 07:34:42 2014 : Info: ++[preprocess] returns ok

Tue Mar 18 07:34:42 2014 : Info: ++[chap] returns noop

Tue Mar 18 07:34:42 2014 : Info: ++[mschap] returns noop

Tue Mar 18 07:34:42 2014 : Info: [suffix] No '@' in User-Name = "diehm-adm", looking up realm NULL

Tue Mar 18 07:34:42 2014 : Info: [suffix] No such realm "NULL"

Tue Mar 18 07:34:42 2014 : Info: ++[suffix] returns noop

Tue Mar 18 07:34:42 2014 : Info: ++[unix] returns notfound

Tue Mar 18 07:34:42 2014 : Info: [groups] Added My-Group: 'testop' to config_items

Tue Mar 18 07:34:42 2014 : Info: ++[groups] returns ok

Tue Mar 18 07:34:42 2014 : Info: [files] users: Matched entry DEFAULT at line 181

Tue Mar 18 07:34:42 2014 : Info: ++[files] returns ok

Tue Mar 18 07:34:42 2014 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP

Tue Mar 18 07:34:42 2014 : Info: ++[pap] returns noop

Tue Mar 18 07:34:42 2014 : Info: [ldap] performing user authorization for diehm-adm


as said it doesn't match:

DEFAULT  Auth-Type := LDAP, My-Group == "testop", Huntgroup-Name == cyclades

        Service-Type = Administrative-User,

        Framed-Filter-Id =  ":group_name=admin;",

Anything I can try?

Thx 1000
Mischa

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140318/a7e2b0fa/attachment-0001.html>


More information about the Freeradius-Users mailing list