checkItem not being checked

Alan DeKok aland at deployingradius.com
Fri Oct 3 17:39:22 CEST 2014 

Victor Tarhon-Onu wrote:
>     Before proceeding further I'm going to describe shortly what I want
> to do and what I did so far.

  That's always a good idea.

>     Later the requirement was changed and I was asked to do some
> privilege separation based on the group each LDAP user is in. So it
> seemed to be easier just to map the LDAP gidNumber entry for each user
> to a radius check item:
> 
> /etc/raddb/ldap.attrmap:checkItem       Group-ID                       
> gidNumber
> /etc/raddb/dictionary:ATTRIBUTE Group-ID                3000    integer

  Hmm... I'd pick another name, but OK.

>     So in /etc/raddb/users I added something like
> 
> DEFAULT Auth-Type = LDAP
>     Service-Type = Login,
>     Fall-Through = Yes
> 
> DEFAULT Group-ID == 100
>     Service-Type := Shell-User
> 
> DEFAULT Group-ID == 101
>     Service-Type := Dialout-Framed-User

  That should work.

>     The problem is that the Service-Type never changes because the
> Group-ID doesn't match any of those checks.
>     It remains set to the value (Login) I've set as default at the
> beginning of the file. However, when running the radius server in debug
> mode, I can see that the Group-ID is set correctly for each
> authenticated user:
> 
> rlm_ldap: Adding gidNumber as Group-ID, value 100 & op=21
> 
>     ...but I'm not sure if it's exported (or even supposed to be) out
> from rlm_ldap.

  If the ldap module says it's being added, it's being added.

>     The freeradius version is 1.1.3 (freeradius-1.1.3-1.6.el5).

  Oh dear... that is very, very, very old.

> I am
> inserting below the entire output of the radius server during an
> authentication/authorization attempt:

  Which shows a pretty obvious problem.

>   modcall[authorize]: module "eap" returns noop for request 0
>     users: Matched entry DEFAULT at line 6
>   modcall[authorize]: module "files" returns ok for request 0
> modcall: entering group redundant  for request 0
> rlm_ldap: - authorize

  You're checking the "files" module BEFORE ldap.  So the Group-Id will
*never* be seen by the "users" file, because it hasn't been added.

  Swap the order.  Put "files" after "ldap".

  Alan DeKok.

More information about the Freeradius-Users mailing list