Thank for the quick reply, i followed this steps <https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987> but it seems that its missing some steps, after moving certs the certs.back and creating a new certificate: - The private key and certificate files should be copied in the new certs directory created Or - Changing the path in /etc/raddb/mods-enabled/eap for each files ?
On Wed, Mar 13, 2019 at 11:38 AM Alexander Bokovoy <[email protected]> wrote: > On ke, 13 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote: > >Hi Alexander and thank you for the documents, > > > >Right i din't configure freeradius to use kerberos authentication but > >question please: with the radtest command above the authentication is > >performed and if i see Accept-Accept so it does mean the password provided > >in the command matches the password in ldap ? > Perhaps it matches the password but your problem (as I understood) was > that you weren't able to pull the group membership out of LDAP. These > are two different steps -- RADIUS server ldap plugin uses user's > password for authentication but it should also use own credentials to > bind to ldap for authorization step. > > > > >On Tue, Mar 12, 2019 at 2:59 PM Alexander Bokovoy <[email protected]> > >wrote: > > > >> On ti, 12 maalis 2019, Boudjoudad Abdelkader wrote: > >> >Hi Alexander, > >> >Thank you for yourquick reply and sorry i very new with freeradius. > >> >I did: > >> >- Changing in /etc/raddb/sites-enabled/default and > >> >/etc/raddb/sites-enabled/inner-tunnel > >> > -ldap > >> >to: > >> > ldap > >> > if ((ok || updated) && User-Password) { > >> > update { > >> > control:Auth-Type := ldap > >> > } > >> > } > >> > > >> >- /etc/raddb/mods-enabled/ldap > >> >ldap { > >> > server = 'ldapserver.example.com' > >> > # port = 389 > >> > # password = mypass > >> > base_dn = 'cn=users,cn=accounts,dc=example,dc=com' > >> >} > >> So, above you aren't using any credentials to authenticate to LDAP > >> server. You need to define *some* credentials here that radius server > >> would use to bind to LDAP before checking what it needs. > >> > >> For basic explanation see > >> > https://www.redhat.com/archives/freeipa-users/2015-December/msg00170.html > >> > >> For some example, one can look at > >> https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987 > >> which describes roughly how to make RADIUS authenticating to LDAP with > >> SASL GSSAPI > >> instead of a simple bind. It may be missing something, I just updated > >> Christian's version which is several years old. > >> > >> > > >> >user { > >> > base_dn = "${..base_dn}" > >> > filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" > >> > # scope = 'sub' > >> > # sort_by = '-uid' > >> > # access_attribute = 'dialupAccess' > >> > # access_positive = yes > >> >} > >> >group { > >> > base_dn = "${..base_dn}" > >> > filter = '(objectClass=posixGroup)' > >> > scope = 'sub' > >> > name_attribute = cn > >> > membership_filter = > >> > >> > >"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" > >> > > >> > membership_attribute = memberOf > >> > cacheable_name = 'yes' > >> > cacheable_dn = 'yes' > >> > # cache_attribute = 'LDAP-Cached-Membership' > >> >} > >> > > >> >To test user i did: > >> ># radtest ttest2 password ldapserver.example.com 1812 secretkey > >> > > >> >Thanks, > >> > > >> > > >> > > >> > > >> > > >> >On Tue, Mar 12, 2019 at 2:06 PM Alexander Bokovoy <[email protected] > > > >> >wrote: > >> > > >> >> On ti, 12 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote: > >> >> >Hi, > >> >> >I'm trying to check if user is in a given group name in LDAP but it > >> >> doesn't > >> >> >work, here is the configuration: > >> >> >- vi /etc/raddb/mods-enabled/ldap > >> >> > >> >> How do you connect to the LDAP server? You need to use authenticated > >> >> bind to see member attributes. > >> >> > >> >> >ldap { > >> >> >... > >> >> >base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com' > >> >> >... > >> >> >} > >> >> >group { > >> >> >base_dn = "${..base_dn}" > >> >> >filter = '(objectClass=posixGroup)' > >> >> >scope = 'sub' > >> >> >name_attribute = cn > >> >> >membership_filter = > >> >> > >> >> > >> > >"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))" > >> >> >membership_attribute = memberOf > >> >> > cacheable_name = 'yes' > >> >> > cacheable_dn = 'yes' > >> >> ># cache_attribute = 'LDAP-Cached-Membership' > >> >> > > >> >> >The result: > >> >> >rlm_ldap (ldap): Reserved connection (2) > >> >> >(0) Using user DN from request > >> >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com" > >> >> >(0) Checking for user in group objects > >> >> >(0) EXPAND > >> >> > >> >> > >> > >(&(cn=ipausers)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))) > >> >> >(0) --> > >> >> > >> >> > >> > >(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3com)(memberUid=ttest2))) > >> >> >(0) Performing search in > >> >> >"cn=users,cn=accounts,dc=server,dc=example,dc=com" with filter > >> >> > >> >> > >> > >"(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))", > >> >> >scope "sub" > >> >> >(0) Waiting for search result... > >> >> >(0) Search returned no results > >> >> >(0) Checking user object's memberOf attributes > >> >> >(0) Performing unfiltered search in > >> >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com", scope > >> >> "base" > >> >> >(0) Waiting for search result... > >> >> >(0) No group membership attribute(s) found in user object > >> >> > > >> >> >What i'm missing ? > >> >> >Thanks, > >> >> > >> >> >_______________________________________________ > >> >> >FreeIPA-users mailing list -- [email protected] > >> >> >To unsubscribe send an email to > >> >> [email protected] > >> >> >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >> >> >List Guidelines: > >> https://fedoraproject.org/wiki/Mailing_list_guidelines > >> >> >List Archives: > >> >> > >> > https://lists.fedorahosted.org/archives/list/[email protected] > >> >> > >> >> > >> >> -- > >> >> / Alexander Bokovoy > >> >> Sr. Principal Software Engineer > >> >> Security / Identity Management Engineering > >> >> Red Hat Limited, Finland > >> >> > >> > >> -- > >> / Alexander Bokovoy > >> Sr. Principal Software Engineer > >> Security / Identity Management Engineering > >> Red Hat Limited, Finland > >> > > >_______________________________________________ > >FreeIPA-users mailing list -- [email protected] > >To unsubscribe send an email to > [email protected] > >Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
