Attributes and LDAP

Marek Gradzki Tue, 23 May 2006 03:40:56 -0700

Hi.
I am currently using FreeRadius server 1.0.2 on Solaris 8 with LDAP authentication and MySQL accounting
for PPPoE sessions with ADSL technology.
Everything works fine, but some problems appeared lately.
User profiles are stored in some subtree of LDAP server. Each user has an attribute radiusGroupName set to test
(for example). I would like to setup some common attribute values in the group profile, which is also stored in
the LDAP server but in the other subtree, and import them to user profile during authentication.
Now it does not work. Unfortunately I do not have much space to experiment because it is working
configration and I really do not have an idea how to setup this kind of behaviour.
Parts of my config files are below:
huntgroups:
cisco        NAS-IP-Address == 192.168.0.211

clients.conf:
client 192.168.0.211 {
    secret      = cisco
    nastype     = cisco
        shortname   = c7200vxr
}

radiusd.conf:

# MODULE CONFIGURATION
modules {
    pap {
        encryption_scheme = crypt
    }

    chap {
        authtype = CHAP
    }

    pam {
        pam_auth = radiusd
    }

    unix {
        cache = no
        cache_reload = 600
        radwtmp = ${logdir}/radwtmp
    }

$INCLUDE ${confdir}/eap.conf

    mschap {
        authtype = MS-CHAP
    }

    ldap {
        server = "ds1i.ostisp.intra ds2i.ostisp.intra"
        identity = "cn=freeradius,ou=admins,o=radius,dc=ostnet,dc=pl"
        password = radius
        basedn = "ou=users,ou=adsl,o=radius,dc=ostnet,dc=pl"
        filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
        base_filter = "(objectclass=radiusprofile)"
        password_attribute = userPassword

        # access_attr = "dialupAccess"
        dictionary_mapping = ${raddbdir}/ldap_ext.attrmap

        groupname_attribute = radiusGroupName
        groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile)"
        groupmembership_attribute = radiusGroupName

        ldap_connections_number = 40
        timeout = 4
        timelimit = 3
        net_timeout = 1
    }

    realm IPASS {
        format = prefix
        delimiter = "/"
        ignore_default = no
        ignore_null = no
    }

    realm suffix {
        format = suffix
        delimiter = "@"
        ignore_default = no
        ignore_null = no
    }

    realm realmpercent {
        format = suffix
        delimiter = "%"
        ignore_default = no
        ignore_null = no
    }

    realm ntdomain {
        format = prefix
        delimiter = "\\"
        ignore_default = no
        ignore_null = no
    }


    checkval {
        item-name = Calling-Station-Id
        check-name = Calling-Station-Id
        data-type = string
    }

    preprocess {
        huntgroups = ${confdir}/huntgroups
        hints = ${confdir}/hints
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
    }

    files {
        usersfile = ${confdir}/users
        acctusersfile = ${confdir}/acct_users
        compat = no
    }

    detail {
        detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
        detailperm = 0600
    }

    detail auth_log {
        detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
    }

    detail reply_log {
        detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
        detailperm = 0600
    }

    acct_unique {
        key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
    }

    radutmp {
        filename = ${logdir}/radutmp
#        username = %{User-Name}
        username = %{Stripped-User-Name:-%{User-Name}}
        case_sensitive = no
        check_with_nas = yes
        perm = 0600
        callerid = "no"
    }

    attr_filter {
        attrsfile = ${confdir}/attrs
    }

    counter daily {
        filename = ${raddbdir}/db.daily
        key = User-Name
        count-attribute = Acct-Session-Time
        reset = daily
        counter-name = Daily-Session-Time
        check-name = Max-Daily-Session
        allowed-servicetype = Framed-User
        cache-size = 5000
    }

    always fail {
        rcode = fail
    }
    always reject {
        rcode = reject
    }
    always ok {
        rcode = ok
        simulcount = 0
        mpp = no
    }

    expr {
    }

    digest {
    }

    exec {
        wait = yes
        input_pairs = request
    }

    exec echo {
        wait = yes
        program = "/bin/echo %{User-Name}"
        input_pairs = request
        output_pairs = reply
    }


    $INCLUDE ${confdir}/sql.conf
}

# Instantiation
instantiate {
    expr
    detail
}

authorize {
    preprocess
    chap
    ldap
    files
}

# Authentication.
authenticate {
    Auth-Type CHAP {
        chap
    }
    Auth-Type LDAP {
        ldap
    }
    Auth-Type PAP {
        pap
    }
    unix
}

#
# Pre-accounting. Decide which accounting type to use.
#
preacct {
    preprocess
    acct_unique
    suffix
    files
}

#
# Accounting. Log the accounting data.
#
accounting {
    sql
}

session {
    radutmp
}

post-auth {
}

pre-proxy {
}

post-proxy {
    eap
}

users:
DEFAULT Ldap-Group == disabled, Auth-Type := Reject
    Reply-Message = "Blocked account."

DEFAULT Huntgroup-Name == cisco, LDAP-Group == ostinternet, User-Profile := "cn=ostinternet,ou=profiles,ou=adsl,o=radius,dc=ostnet,dc=pl"
    Fall-Through = no

DEFAULT Huntgroup-Name == huawei, LDAP-Group == ostinternet, User-Profile := "cn=ostinternet,ou=profiles,ou-adsl,o=radius,dc=ostnet,dc=pl"
    Fall-Through = no

Write if You have any ideas.
Thanks in advance.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Attributes and LDAP

Reply via email to