custom message for ldap authentication

Jorge Pereira jpereiran at gmail.com
Sat Sep 19 17:10:20 CEST 2015


On Sat, Sep 19, 2015 at 6:42 AM, Daniele Mantovani <
dmantovani at salesianisesto.it> wrote:

> Hi,
>
> I've started using freeradius (current version 2.2.5) on a debian machine
> to authenticate user on a wifi hotspot.

I'm currently using it without any problem, and it work greats!
> At the moment I'm using ldap (on a windows server 2008 active directory),
> pop and exec module to authenticate different realm.
>
> I only need to improve a little bit the replay message when an
> authentication fail.
> Currently I've a generic replay message on the end of the users file, but I
> want to make some specific message for the ldap user: I'm checking if a
> user is part of an ldap group to give them access. Here's a little bit of
> configuration
>
> users file
> DEFAULT Realm == NULL, osdbLDAP-Ldap-Group =="InternetAccess",Autz-Type :=
> osdbLDAP, Auth-Type := osdbLDAP
>
> DEFAULT Auth-Type := Reject
>        Reply-Message = "You are not authorized"
>
> radiusd.conf
>
>    ldap osdbLDAP{
>         dictionary_mapping = ${raddbdir}/ldap.attrmap
>         server = "*****"
>         basedn = "cn=Users,dc=osdbsesto,dc=local"
>         filter = "(sAMAccountName=%{Stripped-User-Name})"
>         identity = "cn=ldap-proxy,cn=Users,dc=osdbsesto,dc=local"
>         password = "****"
>         #groupmembership_filter =
> "(&(objectClass=group)(member=%{Ldap-UserDn}))"
>         groupmembership_filter =
>
> "(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"
>         groupmembership_attribute = "memberOf"
>         chase_referrals = yes
>         rebind =yes
>    }
>
> My goal is to have an error message for not valid user credential, and one
> message for user not in group.
> I've red the documentation about the ldap module, and I've seen 2 possible
> way of get this:
> -using the post-auth in the virtual server, and checking the group:
> I've seen in the ldap module documentation that I can check the group in
> the post-auth of my virtual server, but it's not documented well, so I've
> many questions:
> --to do that, I simply need to remove the 'osdbLDAP-Ldap-Group ==
> "InternetAccess"' part in users file, and add something like this in
> post-auth block?
>
> if (osdbLDAP-Ldap-Group == "InternetAccess") {
>     noop
> }
> else {
>     reject
> }
>
> -- can I user the unlang in this block? for example, can I do this?
>
> else {
>     Reply-Message = "You aren't in the right group"
>     reject
> }
>
>
maybe... ?

if (osdbLDAP-Ldap-Group) {
     if (osdbLDAP-Ldap-Group != "InternetAccess") {
          Reply-Message = "You aren't in the right group"
          reject
     }
}
else {
    reject
}



> -- does this check work with the recursive group filter? (I'm checking if
> user is in the group, or in a sub group)
> (groupmembership_filter =
>
> "(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))")
>
> -- can I catch somewhere the "not authenticate" state? (where I can set a
> custom message)
>
> - the other way I've found to do this is add a second line in the users
> file, after the line that authenticate if user is valid and in the group,
> and to the same check as before, but without the group. In that case, I can
> set a custom replay message (the user is valid but not in the group) and,
> stopping the fall trough, I think I can reject the user.
> This should work, but, if I'm not wrong, this will do another call to the
> ldap server
>
> Any suggestion, tip, link or documentation I can read?
>
> Thanks to all
> Best Regards
> Mix
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list