Re: Authorize & Authenticate behavior, rlm_ldap

Thu, 03 Jun 2004 10:01:06 -0700



Nevermind - expected behavior. I made some changes to rlm_ldap.c and got the behavior I expected.

Thanks,
Craig


Craig Huckabee wrote:


Before I go off and start making code changes, I wanted to check if what I'm seeing is expected behavior.

First, some background information (this is with FreeRADIUS 1.0.0-pre0):

We have one FreeRADIUS server configured like this

In the modules section...

ldap local_user {
    server = ds1.foo.com
    basedn = "ou=People,dc=foo,dc=com"   <---  One basedn
    filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
    ...
}

ldap corporate_user {
    server = ds1.bar.com
    basedn = "ou=People,dc=bar,dc=com"   <--- A different basedn
    filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
    ...
}


In the authorize section...

group {

    local_user {
        reject = reject
        userlock = reject
        ok = return
    }
    corporate_user {
        reject = reject
        userlock = reject
        ok = return
    }
    notfound = return
}


In the authenticate section...

    Auth-Type LDAP {
                group {
                        local_user {
                          reject = 1
                        }
                        corporate_user
                }
        }


Here is what I see - if a user is 'authorized' by the LDAP server from 'local_user', then an attempt to authenticate that user against the LDAP server from 'local_user' is attempted, using "uid=%{User-Name}, ou=People, dc=foo, dc=com" as the Ldap-UserDN.

If that authentication fails, then it attempts to authenticate against the LDAP server from "corporate_user", with *"uid=%{User-Name}, ou=People, dc=foo, dc=com" as the Ldap-UserDN"* (the same as before) and NOT "uid=%{User-Name}, ou=People, dc=bar, dc=com" as the Ldap-UserDN - Note the different BaseDNs defined for both servers.

In a nutshell, rlm_ldap doesn't appear to get the right BaseDN or it just uses the BaseDN from whatever ldap instance 'authorized' the user. Is that expected behavior ? Or should it use the BaseDN from the ldap instance described in the 'authenticate' section ?

Long story about why we have two LDAP servers with different basedns and why a user would need to authenticate off of either one, I won't go into that here. Suffice it to say we're in transition.

Any insight is appreciated,
Craig




















- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 

--
/ Craig Huckabee        |          e-mail: [EMAIL PROTECTED] /
/ Code 715-CH           |           phone: (843) 218 5653       /
/ SPAWAR Systems Center | close proximity: "Hey You!"           /
/ Charleston, SC        |            ICBM:  32.78N, 79.93W      /


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to