LDAP Groups to Freeradius and then Ruckus Wireless?
Enrique Sainz Baixauli
enriquesainz.beca at intef.educacion.es
Thu May 29 12:15:55 CEST 2014
>>> What attribute are you using for group membership? I'm getting reay to
do something similar and it strikes me that if memberOF is not in your
schema that won't work.
>>
>> Not with the update block no, but there are other ways in v3.0.x to do
>> it without memberOf
>
>Ok, OP.
>
>I suspect you've messed up and not uncommented
>
>group.cache_attribute
>
>Or got a typo in your config. I got no complaints from the server when I
tried, and did not have to add a dictionary entry.
>
>So yes, it works perfectly on my system (thought I don't have the Ruckus
attributes, could you send their dictionary over please?)
I am guessing you mean cache_attribute in section group {}, in
mods-available/ldap. I uncommented it and set it to
"LDAP-Cached-Membership". Besides, I set cacheable_name = "yes" and
membership_attribute = "member".
And dictionary.ruckus:
VENDOR Ruckus 25053
BEGIN-VENDOR Ruckus
ATTRIBUTE Ruckus-User-Groups 1 string
END-VENDOR Ruckus
>Good that you can see debug. We can't though which isn't helpful.
>
>I'm going to guess that you've got attribute filtering on and haven't added
that attribute to the attribute white list. I hate to guess though would be
better if we were better informed.
>
>alan
About this, I haven't set up attribute filtering (because I don't know where
to do it), so if it's on by default, where is the whitelist?
I have also changed the foreach line you guys suggested because of a warning
in the debug output: I placed a & before Ruckus-User-Groups:
Foreach &control:LDAP-Cached-Membership {
update reply {
&Ruckus-User-Groups += "%{Foreach-Variable-0}"
}
}
And finally, the debug output for a PAP Access-Request of user 'juan', who
belongs to group 'profesores':
Received Access-Request Id 2 from 192.168.60.1:1024 to 192.168.50.62:1812
length 82
User-Name = 'juan'
User-Password = 'juan'
NAS-IP-Address = 192.168.60.1
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0x412aea7019095474eca935825f5f2c90
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (User-Name != "%{tolower:%{User-Name}}")
(0) EXPAND %{tolower:%{User-Name}}
(0) --> juan
(0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE
(0) if (User-Name =~ / /)
(0) if (User-Name =~ / /) -> FALSE
(0) if (User-Name =~ /@.*@/ )
(0) if (User-Name =~ /@.*@/ ) -> FALSE
(0) if (User-Name =~ /\\.\\./ )
(0) if (User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (User-Name =~ /\\.$/)
(0) if (User-Name =~ /\\.$/) -> FALSE
(0) if (User-Name =~ /@\\./)
(0) if (User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : No '@' in User-Name = "juan", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
rlm_ldap (ldap): Reserved connection (4)
(0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap : --> (uid=juan)
(0) ldap : EXPAND dc=ejemplo,dc=org
(0) ldap : --> dc=ejemplo,dc=org
(0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(uid=juan)', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org"
(0) ldap : No cacheable group memberships found in user object
(0) ldap : EXPAND
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
(0) ldap : -->
(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl
o\2cdc\3dorg))
(0) ldap : EXPAND dc=ejemplo,dc=org
(0) ldap : --> dc=ejemplo,dc=org
(0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter
'(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp
lo\2cdc\3dorg))', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : Added control:Ldap-Group with value "profesores"
(0) ldap : Processing user attributes
(0) ldap : control:Password-With-Header +=
''{SSHA}YvCZkmiUfoRuncod2Vm3Bnwr1ueIg3ew''
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = ok
(0) foreach &control:LDAP-Cached-Membership {
(0) } # foreach &control:LDAP-Cached-Membership = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Auth-Type PAP {
(0) pap : Login attempt with password
(0) pap : Comparing with "known-good" SSHA-Password
(0) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24
bytes
(0) pap : User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
(0) post-auth {
(0) [exec] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (reply:EAP-Message && reply:Reply-Message)
(0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # post-auth = noop
Sending Access-Accept Id 2 from 192.168.50.62:1812 to 192.168.60.1:1024
(0) Finished request
More information about the Freeradius-Users
mailing list