LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Thu May 29 12:15:55 CEST 2014


>>> What attribute are you using for group membership?  I'm getting reay to
do something similar and it strikes me that if memberOF is not in your
schema that won't work.
>> 
>> Not with the update block no, but there are other ways in v3.0.x to do 
>> it without memberOf
>
>Ok, OP.
>
>I suspect you've messed up and not uncommented 
>
>group.cache_attribute
>
>Or got a typo in your config. I got no complaints from the server when I
tried, and did not have to add a dictionary entry.
>
>So yes, it works perfectly on my system (thought I don't have the Ruckus
attributes, could you send their dictionary over please?)

I am guessing you mean cache_attribute in section group {}, in
mods-available/ldap. I uncommented it and set it to
"LDAP-Cached-Membership". Besides, I set cacheable_name = "yes" and
membership_attribute = "member".
And dictionary.ruckus:

VENDOR		Ruckus		25053
BEGIN-VENDOR	Ruckus
ATTRIBUTE		Ruckus-User-Groups	1	string
END-VENDOR		Ruckus

>Good that you can see debug. We can't though which isn't helpful. 
>
>I'm going to guess that you've got attribute filtering on and haven't added
that attribute to the attribute white list. I hate to guess though would be
better if we were better informed. 
>
>alan

About this, I haven't set up attribute filtering (because I don't know where
to do it), so if it's on by default, where is the whitelist? 
I have also changed the foreach line you guys suggested because of a warning
in the debug output: I placed a & before Ruckus-User-Groups:

Foreach &control:LDAP-Cached-Membership {
	update reply {
		&Ruckus-User-Groups	+= "%{Foreach-Variable-0}"
	}
}

And finally, the debug output for a PAP Access-Request of user 'juan', who
belongs to group 'profesores':

Received Access-Request Id 2 from 192.168.60.1:1024 to 192.168.50.62:1812
length 82
        User-Name = 'juan'
        User-Password = 'juan'
        NAS-IP-Address = 192.168.60.1
        Service-Type = Login-User
        NAS-Port-Type = Wireless-802.11
        Message-Authenticator = 0x412aea7019095474eca935825f5f2c90
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0)    --> juan
(0)     if (User-Name != "%{tolower:%{User-Name}}")  -> FALSE
(0)     if (User-Name =~ / /)
(0)     if (User-Name =~ / /)  -> FALSE
(0)     if (User-Name =~ /@.*@/ )
(0)     if (User-Name =~ /@.*@/ )  -> FALSE
(0)     if (User-Name =~ /\\.\\./ )
(0)     if (User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (User-Name =~ /\\.$/)
(0)     if (User-Name =~ /\\.$/)   -> FALSE
(0)     if (User-Name =~ /@\\./)
(0)     if (User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "juan", looking up realm NULL
(0) suffix : No such realm "NULL"
(0)   [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0)   [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap :    --> (uid=juan)
(0) ldap : EXPAND dc=ejemplo,dc=org
(0) ldap :    --> dc=ejemplo,dc=org
(0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(0) ldap : No cacheable group memberships found in user object
(0) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(0) ldap :    -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(0) ldap : EXPAND dc=ejemplo,dc=org
(0) ldap :    --> dc=ejemplo,dc=org
(0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : Added control:Ldap-Group with value "profesores"
(0) ldap : Processing user attributes
(0) ldap :      control:Password-With-Header +=
''{SSHA}YvCZkmiUfoRuncod2Vm3Bnwr1ueIg3ew''
rlm_ldap (ldap): Released connection (4)
(0)   [ldap] = ok
(0)   foreach &control:LDAP-Cached-Membership {
(0)   } # foreach &control:LDAP-Cached-Membership = noop
(0)   [expiration] = noop
(0)   [logintime] = noop
(0)   [pap] = updated
(0)  } #  authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)  Auth-Type PAP {
(0) pap : Login attempt with password
(0) pap : Comparing with "known-good" SSHA-Password
(0) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes
(0) pap : User authenticated successfully
(0)   [pap] = ok
(0)  } # Auth-Type PAP = ok
(0) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(0)   post-auth {
(0)   [exec] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)     if (reply:EAP-Message && reply:Reply-Message)
(0)     if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } #  post-auth = noop
Sending Access-Accept Id 2 from 192.168.50.62:1812 to 192.168.60.1:1024
(0) Finished request



More information about the Freeradius-Users mailing list