On Wed, 3 Mar 2004, Tre Johnston wrote:
> I am having problems with radius grabbing the group memberUid attribute from
> ldap and deny initial access to routers users based on the group they are in.
> Below is a copy of the ldap configuration I have in my radiusd.conf file,
> also I have enabled ldap in the auth section. Any help would be gladly
> appreciated.
As it is clearly described in doc/rlm_ldap you need to *do* some kind of group
checking somewhere (like the users file). In the rlm_ldap condifuration you just
configure the ldap group lookup, *not* the ldap group checks.
>
> ldap {
> server = (Hidden to protect the innocent)
> identity = (Hidden to protect the innocent)
> password =(Hidden to protect the innocent)
> basedn = (Hidden to protect the innocent)
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> base_filter = "(objectclass=radiusprofile)"
>
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with normal
> # ldap connections instead of using ldaps (port 689) connections
> start_tls = yes
>
> tls_cacertfile = /etc/openldap/ssl/cacert.pem
> # tls_cacertdir = /path/to/ca/dir/
> # tls_certfile = /path/to/radius.crt
> # tls_keyfile = /path/to/radius.key
> # tls_randfile = /path/to/rnd
> # tls_require_cert = "demand"
>
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> profile_attribute = "radiusProfileDn"
> access_attr = "cn"
> #access_group = ops
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
>
> #
> # NOTICE: The password_header directive is NOT case insensitive
> #
> password_header = "{SSHA}"
> password_attribute = userPassword
> groupname_attribute = "(|(&(objectClass=%(MemberUid))))
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))ou=Group,ou=Corproate,dc=supplysolution,dc=com"
> groupmembership_attribute = cn
>
> #
> # The server can usually figure this out on its own, and pull
> # the correct User-Password or NT-Password from the database.
> #
> # Note that NT-Passwords MUST be stored as a 32-digit hex
> # string, and MUST start off with "0x", such as:
> #
> # 0x000102030405060708090a0b0c0d0e0f
> #
> # Without the leading "0x", NT-Passwords will not work.
> # This goes for NT-Passwords stored in SQL, too.
> #
> # password_attribute = userPassword
> # groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # do_xlat = yes
> access_attr_used_for_allow = yes
> }
>
>
>
>
>
>
> Here is a copy of the log for the request.
>
> rad_recv: Access-Request packet from host (Hidden to protect the innocent), id=38,
> length=86
> User-Name = "dev"
> Reply-Message = "Password: "
> User-Password = "(Hidden to protect the innocent)"
> NAS-Port = 66
> NAS-Port-Type = Virtual
> Calling-Station-Id = "(Hidden to protect the innocent)"
> NAS-IP-Address = (Hidden to protect the innocent)
> Wed Mar 3 11:27:23 2004 : Debug: rad_lowerpair: User-Name now 'dev'
> Wed Mar 3 11:27:23 2004 : Debug: modcall: entering group authorize for request
> 0
> Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: calling preprocess (rl
> m_preprocess) for request 0
> Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: returned from preproce
> ss (rlm_preprocess) for request 0
> Wed Mar 3 11:27:23 2004 : Debug: modcall[authorize]: module "preprocess" retu
> rns ok for request 0
> Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: calling ldap (rlm_ldap
> ) for request 0
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: - authorize
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: performing user authorization for de
> v
> Wed Mar 3 11:27:23 2004 : Debug: radius_xlat: '(uid=dev)'
> Wed Mar 3 11:27:23 2004 : Debug: radius_xlat: (Hidden to protect the innocent)
> Wed Mar 3 11:27:23 2004 : Debug: ldap_get_conn: Got Id: 0
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: attempting LDAP reconnection
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: (re)connect to management1.pleas.sup
> plysolution.com:389, authentication 0
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: starting TLS
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: bind as (Hidden to protect the innocent)
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: waiting for bind result ...
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: performing search in (Hidden to protect
> the innocent), with filter (uid=dev)
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: checking if remote access for dev is
> allowed by cn
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: Added password umFYzyfnmhVQdQC+Lleys
> j8RFv7g+TE+ in check items
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: looking for check items in directory
> ...
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: looking for reply items in directory
> ...
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: user dev authorized to use remote ac
> cess
> Wed Mar 3 11:27:23 2004 : Debug: ldap_release_conn: Release Id: 0
> Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: returned from ldap (rl
> m_ldap) for request 0
> Wed Mar 3 11:27:23 2004 : Debug: modcall[authorize]: module "ldap" returns ok
> for request 0
> Wed Mar 3 11:27:23 2004 : Debug: modcall: group authorize returns ok for reques
> t 0
> Wed Mar 3 11:27:23 2004 : Debug: rad_check_password: Found Auth-Type LDAP
> Wed Mar 3 11:27:23 2004 : Debug: auth: type "LDAP"
> Wed Mar 3 11:27:23 2004 : Debug: modcall: entering group Auth-Type for request
> 0
> Wed Mar 3 11:27:23 2004 : Debug: modsingle[authenticate]: calling ldap (rlm_l
> dap) for request 0
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: - authenticate
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: login attempt by "dev" with password
> "changeme"
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: user DN: uid=dev,(Hidden to protect the
> innocent)
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: (re)connect to (Hidden to protect the
> innocent) authentication 1
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: starting TLS
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: bind as uid=dev,(Hidden to protect the
> innocent)
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: waiting for bind result ...
> Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: user dev authenticated succesfully
> Wed Mar 3 11:27:23 2004 : Debug: modsingle[authenticate]: returned from ldap
> (rlm_ldap) for request 0
> Wed Mar 3 11:27:23 2004 : Debug: modcall[authenticate]: module "ldap" returns
> ok for request 0
> Wed Mar 3 11:27:23 2004 : Debug: modcall: group Auth-Type returns ok for reques
> t 0
> Wed Mar 3 11:27:23 2004 : Auth: Login OK: [dev] (from client router port
> 66 cli (hidden))
> Sending Access-Accept of id 38 to 67.29.144.130:1645
> Wed Mar 3 11:27:23 2004 : Debug: Finished request 0
> Wed Mar 3 11:27:23 2004 : Debug: Going to the next request
> Wed Mar 3 11:27:23 2004 : Debug: --- Walking the entire request list ---
> Wed Mar 3 11:27:23 2004 : Debug: Waking up in 6 seconds...
> Warning: Remote host denied X11 forwarding.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
