FR 3.0.1 and LDAP group membership

[Brendan Kearney]

On Tue, 2014-05-20 at 06:39 +0100, Arran Cudbard-Bell wrote:
> On 20 May 2014, at 02:03, Brendan Kearney <bpk678 at gmail.com> wrote:
> 
> > i want to authenticate users against my kerberos instance (working now),
> > and authorize them based on LDAP group memebership.  i am stuck getting
> > authorization working, because i must be missing something fundamental.
> > 
> > i copied mods-available/ldap to mods-available/ldap.orig and made the
> > following edits:
> > 
> > changed "server" to test.bpk2.com
> > changed "identity" and "password" to cn=Manger,dc=my-domain,dc=com, and
> > the corresponding password.
> > changed "base_dn" to ou=Users,dc=bpk2,dc=com
> > commented out control:Password-With-Header	+= 'userPassword' as LDAP
> > will not be managing any passwords
> > changed filter from objectClass=posixGroup to groupOfNames
> > changed membership_filter to be member= and not memberUid= in the second
> > OR'd condition
> > uncommented filter="(objectclass=radiusprofile)"
> > 
> > i have created a group in the DIT called netEngineers, added my ID to
> > the group, added the radiusprofile object class and added a
> > radiusreplyitem of "Cisco-AVPair = "shell:priv-lvl=15"" to the group.
> 
> Groups don't return replyItems only profiles do. Groups are only 
> used for checking membership, they cannot contain attributes themselves.
> 
> Note that your profile attribute could be the same as your group
> attribute i.e. memberOf, in which case you'd just need to add the
> group objects to the radiusprofile object.
> 
> > i have added the radiusprofile object class to my id and added the
> > radiusgroupname attribute, and the value "netEngineers" to the
> > attribute.
> 
> You still have 'attribute' commented out in the profile section.
> How will it know which attribute contains profiles?
> 
> > when i run radiusd -X and then radtest, i run a packet capture.  the
> > capture does not show the radiusreplyitem being replied back.  it seems
> > that i am not properly configuring the group checking, but dont know
> > where i am going wrong.  where am i going wrong?
> 
> You're meant to check for individual groups. They're not meant to be 
> container objects for attributes.
> 
> Your policy should contain something like
> 
> if (LDAP-Group == 'foo') {
> 	bar
> }
> 
> If you want to check for specific group memberships, but I don't think
> that's what you're trying to do.
> 
> -Arran
> 
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
> 
> FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

backing up a bit...

users, groups and profiles.

i want to have a group that i add users to, and when users are added to
that group, they inherit radius attributes which allow them access to a
resource.  the means would be the value of a radiusreplyitem.

i have created a user, uid=brendan,ou=Domain
Users,ou=Users,dc=bpk2,dc=com
i have created a group, cn=netEngineers,ou=Domain
Groups,ou=Groups,dc=bpk2,dc=com
i have created a profile,
cn=netReadWrite,cn=radius,ou=Daemons,dc=bpk2,dc=com
the profile has a radiusreplyitem with a value of Cisco-AVPair =
"shell:priv-lvl=15"

how do i go about tying group membership to the profile (or vice versa,
if that is what i am supposed to do)?

i have uncommented the attribute line in the profile section, and
changed its value to memberOf.  i see in a capture that the groups i am
a member of are queried for the radiusprofile objectclass.  the
netEngineers group has that objectclass and a radiusprofiledn attribute
pointing to the profile that has the radiusreplyitem.  i do not see the
query for the profile or the radiusreplyitem string in the radiusd -X
output or in the radtest output.  what are the appropriate ways of tying
this all together?

thanks, brendan