LDAP group authentication

Andrew Meyer andrewm659 at yahoo.com
Wed Jun 28 15:30:33 CEST 2017 

For the RadiusControl attributes, are you adding that into your /etc/raddb/mods-available/ldap file?  I'm not seeing that.  Btw, I have this setup using the instructions from the FreeIPA folks.  However I am also trying to get group authentication and not getting it to work.
[Bash] [andrew.meyer at asm-rancid01 ~]$ sudo cat /etc/raddb/users |grep -v "^#" bob - Pastebin.com

  
|  
|   
|   
|   |    |

   |

  |
|  
|   |  
[Bash] [andrew.meyer at asm-rancid01 ~]$ sudo cat /etc/raddb/users |grep -v &q...
   |   |

  |

  |

 
 

    On Wednesday, June 28, 2017 5:24 AM, Bogdan Rudas via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
 

 Hi,

Something like this:

ldap {
        server = 'ldap.int'

        identity = 'cn=raidus-ro,ou=users,dc=company,dc=int'
        password = '12345'
        base_dn = 'ou=users,dc=company,dc=int'
        ldapgroup = 'cn=WiFi,ou=group,dc=company,dc=int'
        sasl {
        }

        update {
                control:Password-With-Header    += 'userPassword'
                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }


        user {
                base_dn = "${..base_dn}"

                filter =
"(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))"

                sasl {
                }
        }

...... cut here...

On Tue, Jun 27, 2017 at 6:53 PM, Jake L. <jake_homs at yahoo.com> wrote:

> Hi Bogdan,
>    Thank you for the information. This looks like a good method for us as
> well. Are you setting up the 'ldapgroup' inside the group section of the
> ldap module? If so, can you show me the stanza you're using? Thank you!
>
>
> On Tuesday, June 27, 2017 1:20 AM, Bogdan Rudas via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
>
>
> Hi Jake,
>
> We are useing *memberOf* in filter of "user {  }" section in
> */etc/freeradius/mods-available/ldap*
>
>        user {
>                base_dn = "${..base_dn}"
>
>                filter =
> "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(
> memberOf=${..ldapgroup})))"
>
>                sasl {
>                }
>        }
>
> I suspect FreeIPA have similar attribute for reverse group membership
> lookups.
>
> On Tue, Jun 27, 2017 at 1:36 AM, Jake L. via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
>
> > Hello - I successfully got our Freeradius server to authenticate against
> > our FreeIPA LDAP environment, allowing user access. Currently, all users
> in
> > here will be granted successful access. However, I'm having trouble
> trying
> > to identify what to setup to get only a single group in our FreeIPA
> > environment allowed to authenticate while all other groups are denied.
> In a
> > nutshell, I want to only allow the "network-team" group authenticated
> > access via the Freeradius server, and any/all other groups to be denied.
> In
> > my wiki and google searches, I've found reference to
> "group_authorization",
> > but I can't find that module in the policy.d or mods-available folder.
> > Also, I've seen the reference to huntgroups, but only when queried
> against
> > SQL, which shouldn't be needed in my case. Can anyone point me in the
> right
> > direction to get this working?
> > TL;DR = Need info on setting up Freeradius authentication to LDAP only
> for
> > a specific group, denying all other groups.
> > Thank you!Jake
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
>
>
>
>
> --
> Bogdan Rudas
> Director of IT offshore
> Exadel Inc.
> http://www.exadel.com/
> E-mail: brudas at exadel.com
> Skype ID: bogdan.rudas
>
> --
>
>
> CONFIDENTIALITY NOTICE: This email and files attached to it are
> confidential. If you are not the intended recipient you are hereby
> notified
> that using, copying, distributing or taking any action in reliance on the
> contents of this information is strictly prohibited. If you have received
> this email in error please notify the sender and delete this email.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
>
>


-- 
Bogdan Rudas
Director of IT offshore
Exadel Inc.
http://www.exadel.com/
E-mail: brudas at exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list