custom message for ldap authentication

Daniele Mantovani dmantovani at salesianisesto.it
Sat Sep 19 11:42:11 CEST 2015


Hi,

I've started using freeradius (current version 2.2.5) on a debian machine
to authenticate user on a wifi hotspot.
I'm currently using it without any problem, and it work greats!
At the moment I'm using ldap (on a windows server 2008 active directory),
pop and exec module to authenticate different realm.

I only need to improve a little bit the replay message when an
authentication fail.
Currently I've a generic replay message on the end of the users file, but I
want to make some specific message for the ldap user: I'm checking if a
user is part of an ldap group to give them access. Here's a little bit of
configuration

users file
DEFAULT Realm == NULL, osdbLDAP-Ldap-Group =="InternetAccess",Autz-Type :=
osdbLDAP, Auth-Type := osdbLDAP

DEFAULT Auth-Type := Reject
       Reply-Message = "You are not authorized"

radiusd.conf

   ldap osdbLDAP{
        dictionary_mapping = ${raddbdir}/ldap.attrmap
        server = "*****"
        basedn = "cn=Users,dc=osdbsesto,dc=local"
        filter = "(sAMAccountName=%{Stripped-User-Name})"
        identity = "cn=ldap-proxy,cn=Users,dc=osdbsesto,dc=local"
        password = "****"
        #groupmembership_filter =
"(&(objectClass=group)(member=%{Ldap-UserDn}))"
        groupmembership_filter =
"(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"
        groupmembership_attribute = "memberOf"
        chase_referrals = yes
        rebind =yes
   }

My goal is to have an error message for not valid user credential, and one
message for user not in group.
I've red the documentation about the ldap module, and I've seen 2 possible
way of get this:
-using the post-auth in the virtual server, and checking the group:
I've seen in the ldap module documentation that I can check the group in
the post-auth of my virtual server, but it's not documented well, so I've
many questions:
--to do that, I simply need to remove the 'osdbLDAP-Ldap-Group ==
"InternetAccess"' part in users file, and add something like this in
post-auth block?

if (osdbLDAP-Ldap-Group == "InternetAccess") {
    noop
}
else {
    reject
}

-- can I user the unlang in this block? for example, can I do this?

else {
    Reply-Message = "You aren't in the right group"
    reject
}

-- does this check work with the recursive group filter? (I'm checking if
user is in the group, or in a sub group)
(groupmembership_filter =
"(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))")

-- can I catch somewhere the "not authenticate" state? (where I can set a
custom message)

- the other way I've found to do this is add a second line in the users
file, after the line that authenticate if user is valid and in the group,
and to the same check as before, but without the group. In that case, I can
set a custom replay message (the user is valid but not in the group) and,
stopping the fall trough, I think I can reject the user.
This should work, but, if I'm not wrong, this will do another call to the
ldap server

Any suggestion, tip, link or documentation I can read?

Thanks to all
Best Regards
Mix


More information about the Freeradius-Users mailing list