Freeradius3.x with Openldap Authorization
Srijan
srijan.333 at gmail.com
Tue Feb 23 08:34:33 CET 2021
Hello, greetings..
I got some queries related to openldap authentication and authorization,
followed ldap_howto.rst. Able to Authenticate via ldap but for
authorization not working according to userwise's profiles.. how can i
obtain user's profile. if i put default profile then it works and reply
same to all users, Here's my ldap config:
ldap {
server = 'localhost'
identity = 'cn=adm,dc=xyx,dc=com.'
base_dn = 'ou=radius,dc=xyz,dc=com'
update {
control:Password-With-Header += 'userPassword'
control:Expiration := 'radiusExpiration'
control:Calling-Station-Id := 'radiusCallingStationId'
control:NAS-Identifier := 'radiusNASIdentifier'
control:Simultaneous-Use := 'radiusSimultaneousUse'
reply:Reply-Message := 'radiusReplyMessage'
control:NT-Password := 'ntPassword'
reply:Idle-Timeout := 'radiusIdleTimeout'
reply:Session-Timeout := 'radiusSessionTimeout'
control: += 'radiusControlAttribute'
request: += 'radiusRequestAttribute'
reply: += 'radiusReplyAttribute'
}
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
sasl {
}
}
profile {
filter = '(objectclass=radiusprofile)'
default = 'uid=planx,ou=profiles,ou=radius,dc=xyz,dc=com'
attribute = 'radiusProfileDn'
}
Result with Default profile config:
Sent Access-Request Id 188 from 0.0.0.0:60201 to 127.0.0.1:1812 length 77
User-Name = "user1"
User-Password = "user123"
NAS-IP-Address = 10.21.8.10
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "user123"
Received Access-Accept Id 188 from 127.0.0.1:1812 to 127.0.0.1:60201 length
104
Idle-Timeout = 600
Session-Timeout = 86400
Acct-Interim-Interval = 10800
ERX-Egress-Policy-Name = "20MD"
ERX-Ingress-Policy-Name = "20MU"
MS-Primary-DNS-Server = 1.1.1.1
MS-Secondary-DNS-Server = 9.9.9.9
Framed-Pool = "staff-pool"
Openldap:
# planx, profiles, radius, xyz.com
dn: uid=planx,ou=profiles,ou=radius,dc=xyz,dc=com
cn: planx
radiusIdleTimeout: 600
radiusSessionTimeout: 86400
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
uid: planx
objectClass: radiusObjectProfile
objectClass: radiusprofile
radiusReplyAttribute: Acct-Interim-Interval := 10800
radiusReplyAttribute: ERX-Egress-Policy-Name := 10MD
radiusReplyAttribute: ERX-Ingress-Policy-Name := 20MU
radiusReplyAttribute: MS-Primary-DNS-Server := 1.1.1.1
radiusReplyAttribute: MS-Secondary-DNS-Server := 9.9.9.9
radiusReplyAttribute: Framed-Pool := staff-pool
# plany, profiles, radius, xyz.com
dn: uid=plany,ou=profiles,ou=radius,dc=xyz,dc=com
cn: plany
objectClass: radiusObjectProfile
objectClass: radiusprofile
objectClass: top
radiusFramedProtocol: PPP
radiusIdleTimeout: 600
radiusServiceType: Framed-User
radiusSessionTimeout: 86400
uid: plany
radiusReplyAttribute: Acct-Interim-Interval := 10800
radiusReplyAttribute: ERX-Egress-Policy-Name := 10MD
radiusReplyAttribute: ERX-Ingress-Policy-Name := 10MU
radiusReplyAttribute: MS-Primary-DNS-Server := 1.1.1.1
radiusReplyAttribute: MS-Secondary-DNS-Server := 9.9.9.9
radiusReplyAttribute: Framed-Pool := default-pool
# users, radius, xyz.com
dn: ou=users,ou=radius,dc=xyz,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users
dn: uid=user1,ou=users,ou=radius,dc=xyz,dc=com
radiusGroupName: planx
uid: user1
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: radiusprofile
*is " radiusGroupName:" obsolete in Freeradius3 ?*
dn: uid=user2,ou=users,ou=radius,dc=xyz,dc=com
radiusGroupName: plany
uid: user2
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: radiusprofile
-----
How can I obtain a user's profile, please suggest..
Regards,
Srijan
More information about the Freeradius-Users
mailing list