On Sat, 16 Nov 2002 [EMAIL PROTECTED] wrote:
>
>
> Hello,
> I would like to grant access to network devices based upon group membership.
>I'm not sure what I am doing wrong. If anyone might have any ideas or could point me
>to an example that would be great.
>
> The devices are Cisco, the directory server is LDAP v2. the AA server is
>FreeRADIUS v0.7.1. Almost out of the box settings allows anyone with an account on
>the LDAP server under People to log into the devices:
>
> radiusd.conf-
>
> ldap {
> server = "checkin.fqdn.com"
> basedn = "dc=fqdn,dc=com"
> filter = "(uid=%u)"
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
>
> On the LDAP the username used for testing:
>
>
> dn: uid=cisco,ou=People, dc=fqdn,dc=com
> mail: [EMAIL PROTECTED]
> uid: cisco
> givenName: cisco
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> objectClass: inetUser
> objectClass: inetSubscriber
> objectClass: ipUser
> objectClass: nsManagedPerson
> sn: router
> cn: cisco
> userPassword: {SSHA}<DELETED>==
> createtimestamp: 20021116160608Z
> modifytimestamp: 20021116160608Z
> parentid: 4
> entryid: 20
> entrydn: uid=cisco,ou=people,dc=fqdn,dc=com
> subschemasubentry: cn=schema
>
> I don't wan't to allow all users access to log onto the network devices so I create
>a group on the LDAP server,adding the usernames I'd like to permit access to.:
>
>
> dn: cn=NOC,ou=Groups, dc=fqdn,dc=com
> objectClass: top
> objectClass: groupofuniquenames
> createtimestamp: 20021116161756Z
> modifytimestamp: 20021116161847Z
> parentid: 3
> entryid: 25
> entrydn: cn=noc,ou=groups,dc=fqdn,dc=com
> cn: NOC
> description: router admins
> uniqueMember: uid=cisco,ou=People, dc=fqdn,dc=com
> uniqueMember: uid=greg,ou=People, dc=fqdn,dc=com
> subschemasubentry: cn=schema
>
>
> Now I change the radiusd.conf file to:
>
> ldap {
> server = "checkin.fqdn.com"
> basedn = "cn=noc,ou=groups, dc=fqdn,dc=com"
> # filter = "(uid=%u,ou=People,dc=fqdn,dc=com)"
> filter = "(uid=%u)"
> # filter = "(uniquemember:uid=%u,ou=People,dc=fqdn,dc=com)"
> # access_group = "cn=noc,ou=groups,dc=fqdn,dc=com"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> groupmembership_filter =
>"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
Don't change your basedn, leave it as it is. Rather, enable the access_group
directive. Also, please read doc/rlm_ldap, it should be quite helpfull.
>
> Here is how it fails with the above config:
>
>
> auth: type "LDAP"
> modcall: entering group authtype
> rlm_ldap: - authenticate
> rlm_ldap: login attempt by "cisco" with password "deleted"
> radius_xlat: '(uid=cisco)'
> radius_xlat: 'cn=noc,ou=groups, dc=fqdn,dc=com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to checkin.fqdn.com:389, authentication 0
> rlm_ldap: setting TLS mode to 4
> rlm_ldap: bind as / to checkin.fqdn.com:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: performing search in cn=noc,ou=groups, dc=fqdn,dc=com, with filter
>(uid=cisco)
> rlm_ldap: object not found or got ambiguous search result
> ldap_release_conn: Release Id: 0
> modcall[authenticate]: module "ldap" returns notfound
> modcall: group authtype returns notfound
> auth: Failed to validate the user.
> Login incorrect (rlm_ldap: User not found): [cisco/deleted] (from client firewall
>port 66 cli 216.138.246.211)
>
>
>
> What would I have to do to allow access to the users listed in the NOC group?
>
>
> thx,
> g
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
