How best to map users to domain name for login
yani at ecoco.co.uk
yani at ecoco.co.uk
Thu Aug 24 18:53:08 CEST 2017
On 24/08/17 17:23, Alan DeKok wrote:
> On Aug 24, 2017, at 10:24 AM, yani at ecoco.co.uk wrote:
>> radiusd -v
>> radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Jan 17 2017 at 18:49:55
> I would suggest using 3.0.15. It has a lot of fixes over 3.0.4.
>
>> I want to be able to authenticate users to my email service and manage
>> them according to the domain they belong to so fred at domaina.com is not
>> the same as fred at domainb.com. But in both cases the first part is the
>> login user name within the domain.
> That's a pretty common requirement.
Yep
>
>> I have looked at freeradius virtual servers -
> Virtual servers are largely for separating functionality. i.e. WiFi rules in one virtual server, DSL rules in another, and VPN rules in a third virtual server.
>
>> and have considered
>> using free radius realms dont see how either are actually the way forward - It seems
>> that virtual servers will need a database system creating for every
>> instance( am i actually correct here)
> No.
good suspected I was wrong, but needed confirmation.
>
>> and that realms are really for
>> forwarding requests to other free radius servers - when all i need at
>> the moment is a single server handling multiple domain based login
>> groups.
> Realms are often used for forwarding, but they don't need to be.
>
>> I understand from the documentation that I can create a local realm
>> like this
>>
>> realm domaina.com {
>> type= radius
>> authhost= LOCAL
>> accthost= LOCAL
> Yes.
>
>> I suspect I'm on the right track here - but haven't figured out how to
>> create users in the database/system that reflect this
>>
>> Please advise on the most appropriate way of configuring
>> freeradius to achieve logins for multiple internet domains.
> The bigger question is where are the users stored right now? What kind of database contains the name / password for each user? What is the schema used there?
>
> Once you know that, you just configure FreeRADIUS to query the database. It should be about 10 minutes work.
>
> I wouldn't suggest creating users via the default SQL schema. That's largely for ISP functionality, and will likely not work well for you.
>
> For enterprises we just recommend that FreeRADIUS look at the existing enterprise DB.
>
> i.e. you don't mangle your data to make FreeRADIUS happy. That's a lot of work. Instead, you configure 1-2 simple queries in FreeRADIUS, so that it pulls the correct information from your existing database. That's *much* easier.
>
> Alan DeKok.
Thank you for the quick reply, I'm just a newbie with Freeradius,
trying to understand its modus operandi :)
I have come to the conclusion that I will need to modify the schema and
change the way in which the db is queried after seeing the output below
for a test user in the test domain domaina.com .
I'm using a mysql back end at the moment. and this system is not live -
still in development. ( I've wanted to get radius working for years and
only just found the time.)
I suppose it's really only adding a realm field to the
radius.radcheckdb and using that in the subsequent queries. something
like :
EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE
username = '%{SQL-User-Name}' and realm = {whatever_realm_is } ORDER BY id
if this is what you mean by mangling the data then I'm still missing
something - ie how to best relate users to realms/domains.
Received Access-Request Id 25 from 10.64.4.111:36127 to 10.64.3.44:1812
length 86
User-Name = 'yani at domaina.com'
User-Password = 'poppl'
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x552204bba16c70744eb4910adeb44f6f
(11) Received Access-Request packet from host 10.64.4.111 port 36127,
id=25, length=86
(11) User-Name = 'yani at domaina.com'
(11) User-Password = 'poppl'
(11) NAS-IP-Address = 127.0.1.1
(11) NAS-Port = 0
(11) Message-Authenticator = 0x552204bba16c70744eb4910adeb44f6f
(11) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(11) authorize {
(11) filter_username filter_username {
(11) if (!&User-Name)
(11) if (!&User-Name) -> FALSE
(11) if (&User-Name =~ / /)
(11) if (&User-Name =~ / /) -> FALSE
(11) if (&User-Name =~ /@.*@/ )
(11) if (&User-Name =~ /@.*@/ ) -> FALSE
(11) if (&User-Name =~ /\\.\\./ )
(11) if (&User-Name =~ /\\.\\./ ) -> FALSE
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(11) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
-> FALSE
(11) if (&User-Name =~ /\\.$/)
(11) if (&User-Name =~ /\\.$/) -> FALSE
(11) if (&User-Name =~ /@\\./)
(11) if (&User-Name =~ /@\\./) -> FALSE
(11) } # filter_username filter_username = notfound
(11) [preprocess] = ok
(11) [chap] = noop
(11) [mschap] = noop
(11) [digest] = noop
(11) suffix : Checking for suffix after "@"
(11) suffix : Looking up realm "domaina.com" for User-Name =
"yani at domaina.com"
(11) suffix : Found realm "domaina.com"
(11) suffix : Adding Stripped-User-Name = "yani"
(11) suffix : Adding Realm = "domaina.com"
(11) suffix : Authentication realm is LOCAL
(11) [suffix] = ok
(11) eap : No EAP-Message, not doing EAP
(11) [eap] = noop
(11) [files] = noop
(11) sql : EXPAND %{User-Name}
(11) sql : --> yani at domaina.com
(11) sql : SQL-User-Name set to 'yani at domaina.com'
rlm_sql (sql): Reserved connection (7)
(11) sql : EXPAND SELECT id, username, attribute, value, op FROM
radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(11) sql : --> SELECT id, username, attribute, value, op FROM
radcheck WHERE username = 'yani at domaina.com' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'yani at domaina.com' ORDER BY id'
(11) sql : User found in radcheck table
(11) sql : Check items matched
(11) sql : EXPAND SELECT id, username, attribute, value, op FROM
radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(11) sql : --> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'yani at domaina.com' ORDER BY id
rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'yani at domaina.com' ORDER BY id'
(11) sql : EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(11) sql : --> SELECT groupname FROM radusergroup WHERE username =
'yani at domaina.com' ORDER BY priority
rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup
WHERE username = 'yani at domaina.com' ORDER BY priority'
(11) sql : User not found in any groups
rlm_sql (sql): Released connection (7)
rlm_sql (sql): 0 of 3 connections in use. Need more spares
rlm_sql (sql): Opening additional connection (8)
rlm_sql_mysql: Starting connect to MySQL server
(11) [sql] = ok
(11) [expiration] = noop
(11) [logintime] = noop
(11) [pap] = updated
(11) } # authorize = updated
(11) Found Auth-Type = PAP
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11) Auth-Type PAP {
(11) pap : Login attempt with password
(11) pap : User authenticated successfully
(11) [pap] = ok
(11) } # Auth-Type PAP = ok
(11) # Executing section post-auth from file
/etc/raddb/sites-enabled/default
(11) post-auth {
(11) sql : EXPAND .query
(11) sql : --> .query
(11) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (8)
(11) sql : EXPAND %{User-Name}
(11) sql : --> yani at domaina.com
(11) sql : SQL-User-Name set to 'yani at domaina.com'
(11) sql : EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( '%{SQL-User-Name}',
'%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(11) sql : --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'yani at domaina.com', 'poppl', 'Access-Accept',
'2017-08-24 17:23:57')
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username,
pass, reply, authdate) VALUES ( 'yani at domaina.com', 'poppl',
'Access-Accept', '2017-08-24 17:23:57')'
rlm_sql (sql): Released connection (8)
(11) [sql] = ok
(11) [exec] = noop
(11) remove_reply_message_if_eap remove_reply_message_if_eap {
(11) if (&reply:EAP-Message && &reply:Reply-Message)
(11) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(11) else else {
(11) [noop] = noop
(11) } # else else = noop
(11) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(11) } # post-auth = ok
(11) Sending Access-Accept packet to host 10.64.4.111 port 36127, id=25,
length=0
Sending Access-Accept Id 25 from 10.64.3.44:1812 to 10.64.4.111:36127
(11) Finished request
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list