Hello,
I have a LDAP directory server, with users and groups stored in domain component
trees. For authentication credentials, I'm having users supply their email
address and using the domain to determine the realm. In my "users" file, I
have a bunch of DEFAULT entries that use the realm to set Autz-Type and
Auth-Type. In radiusd.conf, I have multiple ldap modules defined and the
respective Autz-Type and Auth-Type entiries that point to them, based on the
domain name. This is basically the scenario that is described in doc/Autz-Type
and it works just fine.
However, in addition to the user existing, I also want to throw a check in to
verify that they have membership in a particular group. So I've added a
Ldap-Group item to each item in the "users" file that specifies the DN of the
group I want to enforce membership in. However, I can't seem to hit upon the
proper syntax to do this. So what syntax do you use to enforce LDAP group
membership for a given realm?
Using the Autz-Type example as a base might make it clearer than my description
above, the basedn isn't really what I'm using but sed
s/customer1/dc=example1,dc=com/ and s/customer2/dc=example2,dc=com/ and you
have something close:
radiusd.conf-----------------
modules ldap ldap1{....basedn = "customer1" }
ldap ldap2{....basedn = "customer2" }
authenticate{
Auth-Type customer1{
ldap1
}
Auth-Type customer2{
ldap2
}
}
authorize{
preprocess
suffix
Autz-Type customer1{
ldap1
}
Autz-Type customer2{
ldap2
}
files
}
-----------------------------
users file-------------------
DEFAULT Realm == "customer1", Autz-Type := customer1, Auth-Type := customer1
DEFAULT Realm == "customer2", Autz-Type := customer2, Auth-Type := customer2
What I'd like to do is something like:
DEFAULT Realm == "customer1", Ldap-Group ==
"cn=groupname,ou=Groups,dc=example1,dc=com",Autz-Type := customer1, Auth-Type
:= customer1
DEFAULT Realm == "customer2", Ldap-Group ==
"cn=groupname,ou=Groups,dc=example2,dc=com",Autz-Type := customer2, Auth-Type
:= customer2
However, with that syntax, I'm finding that everything falls through to the last
line where I define a realm and tries to enforce membership in that group,
which always fails. My understanding was that Fall-Through defaulted to No, so
that if the first realm was matched, a group membership lookup would occur for
that realm, if that succeeded then Autz-Type and Auth-Type would be set and the
whole process would move on.
But, in reading the thread recently, entitled "multiple module lookups when only
one should be used", I'm wondering if my understanding of how this actually
occurs is wrong.
I swear I had this working the way I expected it to in 0.9.0 but I've been
running 0.9.3 since early December and it apparently hasn't been working since
at least then. I vaguely remember tweaking one of the rlm_ldap.c filters in
0.9.0 but of course, I can't find whatever patch I wrote for it and there
definitely is very little difference between rlm_ldap.c in 0.9.0 and 0.9.3.
But maybe some other behaviour changed somewhere along the line as well.
Any thoughts?
Thanks,
Kevin
--
Kevin M. Myer
Systems Administrator
Lancaster-Lebanon Intermediate Unit 13
(717) 560-6140
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
