AW: Multiple ldap instances - User Group Membership search not done

[Florian Sus | indevis GmbH]

Hi Alan,

thanks a lot for your fast reply!

Regarding the difference between admin users and customer read-only users I would like to do the following.

Admin user will authenticate with "firstname.lastname"
Customer RO users will authenticate with their e-mail address.

So for admins the realm and delimiter is not given and if I have read correctly I could use realm NULL and authenticate the realm NULL users against first ldap server.
All other users will have a realm which is unknown and should use the DEFAULT realm which I would like to have authenticated against the second ldap server.

I am very new to freeradius so I decided to have a step-by-step approach to the final configuration.
As my next step I would like to have configured two ldap servers (second ldap server can be dummy config for now) to see how I need to handle the configuration (eg. using <instancename>-LDAP-Group in unlang).
I guess to have the final working config I need to use an additional virtual server (one for admin users for realm NULL and the other one for customers realm DEFAULT) and proxy.conf, but that will be in the later steps.

To clarify: By "Then, add a *new* LDAP module" you mean to *append* the config for second ldap server to the file .../mods-available/ldap in the form

ldap ldpa2 {
...
}

And I leave the existing config in the very same file for the first ldap server as it is.
For checking group membership of users from the first ldap server I need to use

if (LDAP-Group == "Groupname") {
...
}

And for checking group memebership of users from second ldap server I need to use

If (ldap2-LDAP-Group == "other-Groupname") {
...
}

Do you need to have one ldap server instance unnamed and the other ones as named ldap servers?

Thanks again and best regards, Florian



-----Ursprüngliche Nachricht-----
Von: Freeradius-Users [mailto:freeradius-users-bounces+florian.sus=indevis.de at lists.freeradius.org] Im Auftrag von Alan DeKok
Gesendet: Mittwoch, 27. Februar 2019 13:49
An: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: Multiple ldap instances - User Group Membership search not done

On Feb 27, 2019, at 5:05 AM, Florian Sus | indevis GmbH <florian.sus at indevis.de> wrote:
> 
> I have a question regarding multiple ldap instances in freeradius and searching users in LDAP-Groups.
> 
> First of all, what do I try to achieve:
> Freeradius has to authenticate and authorize our admin users for our customers network devices.
> It has to perform user authentication with a simple ldap bind authentication and look up the group membership of the user.
> If the password of the user is correct and the user is member of a specific group, access shall be granted.
> I have already achieved a working configuration for the tasks above.

  That's good.

> I recently got a new task to allow also our customers access to their network devices with read-only access.
> The customer users are already configured in another ldap server.
> So I would like to configure two named ldap instances in rlm_ldap.

  No, you should add a *different* named instance of the LDAP module.  Don't break things that work.  Don't rename the existing (and working) LDAP module.

  And how do you tell the difference between the two groups of users?  This is a key question which you've left unresolved.

  What happens if *both* LDAP servers have a user named "bob"?  Which one gets access?

> If I do so, the authentication part for the admin user still works, but freeradius will not search the LDAP for user membership anymore and reject access.
> Please find below the config and debug output of the working 
> configuration with only one ldap server And the modified config with two named ldap instances.

  Don't post config files to the list.  When you join the list, you get an email saying this.

  Your message is typical of a complex process: "I'm not sure what I"m doing, so I did a huge amount of work, and sent a huge description of what I've done".  Most of that effort is unproductive.

  Go back to the *working* configuration.

  Then, add a *new* LDAP module:

ldap ldap2 {
	...
}

  Just adding a new LDAP module won't break anything.

  Then, figure out how to tell the difference between the two sets of users.  This is really the key question that will drive the solution.  Without that answer, it's impossible to advise on a good solution.

  Are the names different?  Do the users log into two different sets of devices?

  i.e. how does it work, and what do you want it to do?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: florian.sus at indevis.de-certificate-1.pem
Type: application/octet-stream
Size: 2415 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190227/e88413ab/attachment.obj>