I am going through that three times, but the radius server isn't referencing my huntgroups file to see which groups has access and which do not. I have it watching for if something is in the radiusGroupNames dn for the user but I either want it to look there for the huntgroup, or reference the users who are allowed in the ldapgroup that I specify.
Tre -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kostas Kalevras Sent: Wednesday, March 03, 2004 1:57 PM To: [EMAIL PROTECTED] Subject: Re: ldap group authorization...HELP!!! On Wed, 3 Mar 2004, Tre Johnston wrote: > I am having problems with radius grabbing the group memberUid attribute from > ldap and deny initial access to routers users based on the group they are in. > Below is a copy of the ldap configuration I have in my radiusd.conf file, > also I have enabled ldap in the auth section. Any help would be gladly > appreciated. As it is clearly described in doc/rlm_ldap you need to *do* some kind of group checking somewhere (like the users file). In the rlm_ldap condifuration you just configure the ldap group lookup, *not* the ldap group checks. > > ldap { > server = (Hidden to protect the innocent) > identity = (Hidden to protect the innocent) > password =(Hidden to protect the innocent) > basedn = (Hidden to protect the innocent) > filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > base_filter = "(objectclass=radiusprofile)" > > # set this to 'yes' to use TLS encrypted connections > # to the LDAP database by using the StartTLS extended > # operation. > # The StartTLS operation is supposed to be used with normal > # ldap connections instead of using ldaps (port 689) connections > start_tls = yes > > tls_cacertfile = /etc/openldap/ssl/cacert.pem > # tls_cacertdir = /path/to/ca/dir/ > # tls_certfile = /path/to/radius.crt > # tls_keyfile = /path/to/radius.key > # tls_randfile = /path/to/rnd > # tls_require_cert = "demand" > > # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" > profile_attribute = "radiusProfileDn" > access_attr = "cn" > #access_group = ops > # Mapping of RADIUS dictionary attributes to LDAP > # directory attributes. > dictionary_mapping = ${raddbdir}/ldap.attrmap > > ldap_connections_number = 5 > > # > # NOTICE: The password_header directive is NOT case insensitive > # > password_header = "{SSHA}" > password_attribute = userPassword > groupname_attribute = "(|(&(objectClass=%(MemberUid)))) > groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))ou=Group,ou=Corproate,dc=supplysolution,dc=com" > groupmembership_attribute = cn > > # > # The server can usually figure this out on its own, and pull > # the correct User-Password or NT-Password from the database. > # > # Note that NT-Passwords MUST be stored as a 32-digit hex > # string, and MUST start off with "0x", such as: > # > # 0x000102030405060708090a0b0c0d0e0f > # > # Without the leading "0x", NT-Passwords will not work. > # This goes for NT-Passwords stored in SQL, too. > # > # password_attribute = userPassword > # groupname_attribute = cn > groupmembership_filter = > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > groupmembership_attribute = radiusGroupName > timeout = 4 > timelimit = 3 > net_timeout = 1 > # compare_check_items = yes > # do_xlat = yes > access_attr_used_for_allow = yes > } > > > > > > > Here is a copy of the log for the request. > > rad_recv: Access-Request packet from host (Hidden to protect the innocent), id=38, > length=86 > User-Name = "dev" > Reply-Message = "Password: " > User-Password = "(Hidden to protect the innocent)" > NAS-Port = 66 > NAS-Port-Type = Virtual > Calling-Station-Id = "(Hidden to protect the innocent)" > NAS-IP-Address = (Hidden to protect the innocent) > Wed Mar 3 11:27:23 2004 : Debug: rad_lowerpair: User-Name now 'dev' > Wed Mar 3 11:27:23 2004 : Debug: modcall: entering group authorize for request > 0 > Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: calling preprocess (rl > m_preprocess) for request 0 > Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: returned from preproce > ss (rlm_preprocess) for request 0 > Wed Mar 3 11:27:23 2004 : Debug: modcall[authorize]: module "preprocess" retu > rns ok for request 0 > Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: calling ldap (rlm_ldap > ) for request 0 > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: - authorize > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: performing user authorization for de > v > Wed Mar 3 11:27:23 2004 : Debug: radius_xlat: '(uid=dev)' > Wed Mar 3 11:27:23 2004 : Debug: radius_xlat: (Hidden to protect the innocent) > Wed Mar 3 11:27:23 2004 : Debug: ldap_get_conn: Got Id: 0 > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: attempting LDAP reconnection > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: (re)connect to management1.pleas.sup > plysolution.com:389, authentication 0 > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: starting TLS > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: bind as (Hidden to protect the innocent) > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: waiting for bind result ... > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: performing search in (Hidden to protect > the innocent), with filter (uid=dev) > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: checking if remote access for dev is > allowed by cn > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: Added password umFYzyfnmhVQdQC+Lleys > j8RFv7g+TE+ in check items > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: looking for check items in directory > ... > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: looking for reply items in directory > ... > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: user dev authorized to use remote ac > cess > Wed Mar 3 11:27:23 2004 : Debug: ldap_release_conn: Release Id: 0 > Wed Mar 3 11:27:23 2004 : Debug: modsingle[authorize]: returned from ldap (rl > m_ldap) for request 0 > Wed Mar 3 11:27:23 2004 : Debug: modcall[authorize]: module "ldap" returns ok > for request 0 > Wed Mar 3 11:27:23 2004 : Debug: modcall: group authorize returns ok for reques > t 0 > Wed Mar 3 11:27:23 2004 : Debug: rad_check_password: Found Auth-Type LDAP > Wed Mar 3 11:27:23 2004 : Debug: auth: type "LDAP" > Wed Mar 3 11:27:23 2004 : Debug: modcall: entering group Auth-Type for request > 0 > Wed Mar 3 11:27:23 2004 : Debug: modsingle[authenticate]: calling ldap (rlm_l > dap) for request 0 > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: - authenticate > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: login attempt by "dev" with password > "changeme" > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: user DN: uid=dev,(Hidden to protect the > innocent) > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: (re)connect to (Hidden to protect the > innocent) authentication 1 > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: starting TLS > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: bind as uid=dev,(Hidden to protect the > innocent) > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: waiting for bind result ... > Wed Mar 3 11:27:23 2004 : Debug: rlm_ldap: user dev authenticated succesfully > Wed Mar 3 11:27:23 2004 : Debug: modsingle[authenticate]: returned from ldap > (rlm_ldap) for request 0 > Wed Mar 3 11:27:23 2004 : Debug: modcall[authenticate]: module "ldap" returns > ok for request 0 > Wed Mar 3 11:27:23 2004 : Debug: modcall: group Auth-Type returns ok for reques > t 0 > Wed Mar 3 11:27:23 2004 : Auth: Login OK: [dev] (from client router port > 66 cli (hidden)) > Sending Access-Accept of id 38 to 67.29.144.130:1645 > Wed Mar 3 11:27:23 2004 : Debug: Finished request 0 > Wed Mar 3 11:27:23 2004 : Debug: Going to the next request > Wed Mar 3 11:27:23 2004 : Debug: --- Walking the entire request list --- > Wed Mar 3 11:27:23 2004 : Debug: Waking up in 6 seconds... > Warning: Remote host denied X11 forwarding. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
