Hello,
This is kind of a long email, but I wanted to give all the information that I think
YOU(tm) will need. Unfortunately I'm on a sort of time-crunch to get this up and
running, so I will try and get as
much information in per message as possible. I imagine I'll probably get the
solution in a 1-line reply ( put the line: use-groups = yes into your config and it
should be good. ;)
Some background info:
We currently are and have been running cistron radius using local
system authentication. Local system authentication in turn goes
through nss_ldap to reach our ldap servers. I am now attempting
to upgrade to freeradius in order to use native ldap capabilities.
Our current configuration (both radius and accounting software) relies
upon groups. For example:
(old cistron style)
DEFAULT Auth-Type = Reject, Group = "deletepending"
DEFAULT Auth-Type = Reject, Group = "emailonly"
DEFAULT Auth-Type = System, Group = "multilink", Simultaneous-Use = 2
Port-Limit = 2,
Idle-Timeout = 1800
(newer freeradius style)
DEFAULT Group == "deletepending", Auth-Type := Reject
I am having trouble configuring freeradius' rlm_ldap module to check for
groups. It does however bind correctly to the ldap server for user
authentication. Down below I detailed my thought process in setting this up, as
well as provided some logs. So far I have read the docs on freeradius.org, and
the freeradius-users & freeradius-devel mailing lists (since Aug '99, anything
with ldap in the subject). Most information on the list revolves around defining
the check & reply attributes IN ldap as opposed to the users file. This is fine,
and something we may switch over to at some point. However, all of our existing
software relies upon membership in groups, and switching that would be too big
of a task at this time. The upgrade in freeradius will be one of the first steps
along this route.
Please read the following info and see if you can spot what I'm doing wrong.
The configuration looked fairly simple, but I'm obviously missing some crucial
element.
Version Info:
radiusd: FreeRADIUS Version 0.5, for host i686-pc-linux-gnu, built on May 2
2002 at 10:28:59
Here is my ldap configuration section:
ldap {
server = "localhost"
basedn = "dc=domain,dc=dom"
filter = "(uid=%u)"
start_tls = no
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter = (&(objectclass=posixgroup)(memberuid=%u))
timeout = 4
timelimit = 3
net_timeout = 1
}
docs/rlm_ldap provide this query:
# default:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
Broken down, this is:
(objectClass=GroupOfNames) AND (member=%{Ldap-UserDn})
-or-
(objectClass=GroupOfUniqueNames) AND (uniquemember=%{Ldap-UserDn}))
This query seems to be for a directory with two types of groups
and group members. As our org uses one type, I'm dropping one of
the AND conjunctions along with the corresponding OR disjunction.
Our directory does not have either of those objectclass, we use
objectclass=posixgroup to identify group objects. Also, instead of
uniquemember, we use memberuid. The memberuid doesn't point to the
distinguished name of the uid, just the short uid. So I should want:
(objectclass=posixGroup) AND (memberuid=%u)
Here's an ldif version:
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
userpassword={crypt}x
description=Members have the Port-Limit and Simultaneous-Use RADIUS
parameter set to 2
gidnumber=1025
objectclass=top
objectclass=posixGroup
memberuid=jhogenmiller
Here are some queries performed to show you things working:
# testjth01
# multilink
# This query is what I think freeradius actually wants, in accordance
# with the docs.
[john@server john]]$ ldapsearch -b dc=domain,dc=dom
'(&(objectclass=posixgroup)(memberuid=testjth01))' cn
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
# testjth01 - search without specifying cn.
# multilink
[john@server john]]$ ldapsearch -b dc=domain,dc=dom
'(&(objectclass=posixgroup)(memberuid=testjth01))'
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
userpassword={crypt}x
description=Members have the Port-Limit and Simultaneous-Use RADIUS
parameter set to 2
gidnumber=1025
objectclass=top
objectclass=posixGroup
memberuid=jhogenmiller
...
memberuid=testjth01
# testjth02
# multilink, deletepending: deny access
[john@server john]]$ ldapsearch -b dc=domain,dc=dom
'(&(objectclass=posixgroup)(memberuid=testjth02))' cn
cn=deletepending,ou=Group,dc=domain,dc=dom
cn=deletepending
cn=multilink,ou=Group,dc=domain,dc=dom
cn=multilink
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Ok, with all the ldap stuff out of the way, here's what radius does:
(one thing I noticed after some research was that this doesn't look like the logs
in: http://lists.cistron.nl/archives/freeradius-devel/2000/11/msg00265.html where
a search is done on the group cn=radiususer)
root@servername raddb]# radtest testjth01 password servername 0 nas41v29
Sending Access-Request of id 251 to 127.0.0.1:1812
User-Name = "testjth01"
User-Password = "\271\r\377\021\013\306\271qi\314#\206\326\332\333"
NAS-IP-Address = servername.domain.dom
NAS-Port-Id = "0"
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=251, length=20
Server:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:2048, i
d=251, length=58
User-Name = "testjth01"
User-Password = "\271\r\377\021\013\306\271qi\314#\
206\326\332\333"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testjth01
radius_xlat: '(uid=testjth01)'
radius_xlat: 'dc=domain,dc=dom'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as /
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in dc=domain,dc=dom, with f
ilter (uid=testjth01)
rlm_ldap: Added password {crypt}$1$15.28525$mnsKQ3mUEV9MuZ7
0E7zra1 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testjth01 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type "Ldap"
modcall: entering group authenticate
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testjth01" with password "testt
est"
rlm_ldap: user DN: uid=testjth01,ou=people,dc=domain,dc
=dom
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=testjth01,ou=people,dc=domain,dc=
dom/password
rlm_ldap: waiting for bind result ...
rlm_ldap: user testjth01 authenticated succesfully
modcall[authenticate]: module "ldap" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 251 to 127.0.0.1:2048
Finished request 0
------------------------------------------
And here is one that should get denied for being a member
of deletepending
[root@servername raddb]# radtest testjth02 password servername 0 nas41v29
Sending Access-Request of id 1 to 127.0.0.1:1812
User-Name = "testjth02"
User-Password = "D\373\334=\266L\2772^\321\243\331\026)*\006"
NAS-IP-Address = servername.domain.dom
NAS-Port-Id = "0"
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=1, length=20
------------
Server Logs
------------
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:2049, id=1, length=58
User-Name = "testjth02"
User-Password = "D\373\334=\266L\2772^\321\243\331\026)*\006"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "0"
modcall: entering group authorize
rlm_ldap: - authorize
rlm_ldap: performing user authorization for testjth02
radius_xlat: '(uid=testjth02)'
radius_xlat: 'dc=domain,dc=dom'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=dom, with filter (uid=testjth02)
rlm_ldap: Added password {crypt}$1$47.97645$11g49TqDNOYEoJp0sx5FO/ in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user testjth02 authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type LDAP
auth: type "Ldap"
modcall: entering group authenticate
rlm_ldap: - authenticate
rlm_ldap: login attempt by "testjth02" with password "password"
rlm_ldap: user DN: uid=testjth02,ou=people,dc=domain,dc=dom
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=testjth02,ou=people,dc=domain,dc=dom/password
rlm_ldap: waiting for bind result ...
rlm_ldap: user testjth02 authenticated succesfully
modcall[authenticate]: module "ldap" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 1 to 127.0.0.1:2049
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 1 with timestamp 3cd6c4ee
Nothing to do. Sleeping until we see a request.
John Hogenmiller, kb3dfz
Systems Administrator, Pennswoods.net
1(877)897-4883 x 592
---
Wouldn't the sentence "I want to put a hyphen between the words Fish
and And and And and Chips in my Fish-And-Chips sign" have been clearer if
quotation marks had been placed before Fish, and between Fish and and, and
and and And, and And and and, and and and And, and And and and, and and
and Chips, as well as after Chips?
----- End forwarded message -----
John Hogenmiller, kb3dfz
Systems Administrator, Pennswoods.net
1(877)897-4883 x 592
---
Wouldn't the sentence "I want to put a hyphen between the words Fish
and And and And and Chips in my Fish-And-Chips sign" have been clearer if
quotation marks had been placed before Fish, and between Fish and and, and
and and And, and And and and, and and and And, and And and and, and and
and Chips, as well as after Chips?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
