Hi Alexander and thank you for the documents, Right i din't configure freeradius to use kerberos authentication but question please: with the radtest command above the authentication is performed and if i see Accept-Accept so it does mean the password provided in the command matches the password in ldap ?
On Tue, Mar 12, 2019 at 2:59 PM Alexander Bokovoy <[email protected]> wrote: > On ti, 12 maalis 2019, Boudjoudad Abdelkader wrote: > >Hi Alexander, > >Thank you for yourquick reply and sorry i very new with freeradius. > >I did: > >- Changing in /etc/raddb/sites-enabled/default and > >/etc/raddb/sites-enabled/inner-tunnel > > -ldap > >to: > > ldap > > if ((ok || updated) && User-Password) { > > update { > > control:Auth-Type := ldap > > } > > } > > > >- /etc/raddb/mods-enabled/ldap > >ldap { > > server = 'ldapserver.example.com' > > # port = 389 > > # password = mypass > > base_dn = 'cn=users,cn=accounts,dc=example,dc=com' > >} > So, above you aren't using any credentials to authenticate to LDAP > server. You need to define *some* credentials here that radius server > would use to bind to LDAP before checking what it needs. > > For basic explanation see > https://www.redhat.com/archives/freeipa-users/2015-December/msg00170.html > > For some example, one can look at > https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987 > which describes roughly how to make RADIUS authenticating to LDAP with > SASL GSSAPI > instead of a simple bind. It may be missing something, I just updated > Christian's version which is several years old. > > > > >user { > > base_dn = "${..base_dn}" > > filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" > > # scope = 'sub' > > # sort_by = '-uid' > > # access_attribute = 'dialupAccess' > > # access_positive = yes > >} > >group { > > base_dn = "${..base_dn}" > > filter = '(objectClass=posixGroup)' > > scope = 'sub' > > name_attribute = cn > > membership_filter = > > >"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" > > > > membership_attribute = memberOf > > cacheable_name = 'yes' > > cacheable_dn = 'yes' > > # cache_attribute = 'LDAP-Cached-Membership' > >} > > > >To test user i did: > ># radtest ttest2 password ldapserver.example.com 1812 secretkey > > > >Thanks, > > > > > > > > > > > >On Tue, Mar 12, 2019 at 2:06 PM Alexander Bokovoy <[email protected]> > >wrote: > > > >> On ti, 12 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote: > >> >Hi, > >> >I'm trying to check if user is in a given group name in LDAP but it > >> doesn't > >> >work, here is the configuration: > >> >- vi /etc/raddb/mods-enabled/ldap > >> > >> How do you connect to the LDAP server? You need to use authenticated > >> bind to see member attributes. > >> > >> >ldap { > >> >... > >> >base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com' > >> >... > >> >} > >> >group { > >> >base_dn = "${..base_dn}" > >> >filter = '(objectClass=posixGroup)' > >> >scope = 'sub' > >> >name_attribute = cn > >> >membership_filter = > >> > >> > >"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" > >> >membership_attribute = memberOf > >> > cacheable_name = 'yes' > >> > cacheable_dn = 'yes' > >> ># cache_attribute = 'LDAP-Cached-Membership' > >> > > >> >The result: > >> >rlm_ldap (ldap): Reserved connection (2) > >> >(0) Using user DN from request > >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com" > >> >(0) Checking for user in group objects > >> >(0) EXPAND > >> > >> > >(&(cn=ipausers)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) > >> >(0) --> > >> > >> > >(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3com)(memberUid=ttest2))) > >> >(0) Performing search in > >> >"cn=users,cn=accounts,dc=server,dc=example,dc=com" with filter > >> > >> > >"(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))", > >> >scope "sub" > >> >(0) Waiting for search result... > >> >(0) Search returned no results > >> >(0) Checking user object's memberOf attributes > >> >(0) Performing unfiltered search in > >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com", scope > >> "base" > >> >(0) Waiting for search result... > >> >(0) No group membership attribute(s) found in user object > >> > > >> >What i'm missing ? > >> >Thanks, > >> > >> >_______________________________________________ > >> >FreeIPA-users mailing list -- [email protected] > >> >To unsubscribe send an email to > >> [email protected] > >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> >List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > >> >List Archives: > >> > https://lists.fedorahosted.org/archives/list/[email protected] > >> > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
