On ti, 12 maalis 2019, Boudjoudad Abdelkader wrote:
Hi Alexander, Thank you for yourquick reply and sorry i very new with freeradius. I did: - Changing in /etc/raddb/sites-enabled/default and /etc/raddb/sites-enabled/inner-tunnel -ldap to: ldap if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } }- /etc/raddb/mods-enabled/ldap ldap { server = 'ldapserver.example.com' # port = 389 # password = mypass base_dn = 'cn=users,cn=accounts,dc=example,dc=com' }
So, above you aren't using any credentials to authenticate to LDAP server. You need to define *some* credentials here that radius server would use to bind to LDAP before checking what it needs. For basic explanation see https://www.redhat.com/archives/freeipa-users/2015-December/msg00170.html For some example, one can look at https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987 which describes roughly how to make RADIUS authenticating to LDAP with SASL GSSAPI instead of a simple bind. It may be missing something, I just updated Christian's version which is several years old.
user { base_dn = "${..base_dn}" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" # scope = 'sub' # sort_by = '-uid' # access_attribute = 'dialupAccess' # access_positive = yes } group { base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' scope = 'sub' name_attribute = cn membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" membership_attribute = memberOf cacheable_name = 'yes' cacheable_dn = 'yes' # cache_attribute = 'LDAP-Cached-Membership' } To test user i did: # radtest ttest2 password ldapserver.example.com 1812 secretkey Thanks, On Tue, Mar 12, 2019 at 2:06 PM Alexander Bokovoy <[email protected]> wrote:On ti, 12 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote: >Hi, >I'm trying to check if user is in a given group name in LDAP but it doesn't >work, here is the configuration: >- vi /etc/raddb/mods-enabled/ldap How do you connect to the LDAP server? You need to use authenticated bind to see member attributes. >ldap { >... >base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com' >... >} >group { >base_dn = "${..base_dn}" >filter = '(objectClass=posixGroup)' >scope = 'sub' >name_attribute = cn >membership_filter = >"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" >membership_attribute = memberOf > cacheable_name = 'yes' > cacheable_dn = 'yes' ># cache_attribute = 'LDAP-Cached-Membership' > >The result: >rlm_ldap (ldap): Reserved connection (2) >(0) Using user DN from request >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com" >(0) Checking for user in group objects >(0) EXPAND >(&(cn=ipausers)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) >(0) --> >(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3com)(memberUid=ttest2))) >(0) Performing search in >"cn=users,cn=accounts,dc=server,dc=example,dc=com" with filter >"(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))", >scope "sub" >(0) Waiting for search result... >(0) Search returned no results >(0) Checking user object's memberOf attributes >(0) Performing unfiltered search in >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com", scope "base" >(0) Waiting for search result... >(0) No group membership attribute(s) found in user object > >What i'm missing ? >Thanks, >_______________________________________________ >FreeIPA-users mailing list -- [email protected] >To unsubscribe send an email to [email protected] >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >List Archives: https://lists.fedorahosted.org/archives/list/[email protected] -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
