Authorizing using LDAP attributes
Clayton Knorr
clayton.knorr at nuspire.com
Mon May 9 15:29:17 CEST 2016
Alan et al,
Adding ldap.authorize to the post-auth section didn't seem to change anything except adding a "++[ldap.authorize] returns ok" to the logs
Is there a preferred way to do this I can use in version 2.2.x?
-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+clayton.knorr=nuspire.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Saturday, May 7, 2016 12:28 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Authorizing using LDAP attributes
On May 6, 2016, at 1:25 PM, Clayton Knorr <clayton.knorr at nuspire.com> wrote:
>
> Running radius 2.1.12 and Openldap (openldap just for testing at this
> point)
You should really upgrade... newer versions are a lot easier to configure.
> Trying to solve a problem. Need to provide EAP authentication for wifi to many devices. The freeradius server will be hitting an LDAP directory which is not in my control. I need to be able to have conditional logic to allow only certain users with certain attributes in the LDAP directory connect to certain RADIUS clients. I don't control the LDAP directory so using groups or OUs is not an option. So for example if the ldap user has an attribute Location that equals "A1234" I only want them to connect to one or a subset of Aps/controllers.
OK...
> I have gotten to the point where everything works for EAP, just the LDAP attributes mapping to RADIUS attributes is giving me fits.
That's good.
> So I have a test ldap directory in which I have set users up with the attribute businessCategory set to A1000.
> I have added an entry to the main dictionary file: ATTRIBUTE My-Local-String 3000 string
> I have added a line to ldap.attrmap: checkItem My-Local-String businessCategory
> I have the following in my post-auth section in sites-enabled/default:
>
> if ( Called-Station-Id == "AC-85-75-46-55-91:Peep" && My-Local-String == "A1000" ) {
> noop
> }
>
> else {
> reject
> }
That should be fine.
> Here are some logs from what happens when I try to log in:
> ...
> [ldap] looking for check items in directory...
> [ldap] businessCategory -> My-Local-String == "A1000"
> [ldap] userPassword -> Cleartext-Password == "password"
> [ldap] userPassword -> Password-With-Header == "password"
> [ldap] looking for reply items in directory...
> [ldap] user uuserton authorized to use remote access [ldap]
> ldap_release_conn: Release Id: 0
> ++[ldap] return
> .....
One key thing to note is that there are multiple packets being exchanged. Pay attention to *which* packet this message is from.
> # Executing section post-auth from file
> /etc/freeradius/sites-enabled/default
> +- entering group post-auth {...}
> ++? if (Called-Station-Id == "AC-85-75-46-55-91:Peep" &&
> ++My-Local-String == "A1000" )
> ? Evaluating (Called-Station-Id == "AC-86-74-46-65-91:Peep" ) -> TRUE
> (Attribute My-Local-String was not found) ? Evaluating
> (My-Local-String == "A1000" ) -> FALSE
> ++? if (Called-Station-Id == "AC-86-74-46-65-91:Peep" &&
> ++My-Local-String == "A1000" ) -> FALSE
> ++- entering else else {...}
> +++[reject] returns reject
> ++- else else returns reject
> Using Post-Auth-Type Reject
That's most likely a *different* packet.
Version 2 doesn't cache results across multiple packets. Version 3 can, if you want.
> The baffling part is where it says "Attribute My-Local-String was not found." Am I completely barking up the wrong tree here? Is ldap.attrmap meant to be used for something completely different?
It works. In v2.1, you should just add "ldap.authorize" to the "post-auth" section, before your unlang checks. It's a hack, but it should work around this issue.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list