RE: Configure authentication via LDAP Group membership issue [sec=unclassified]

[Ranner, Frank MR]

_______________________________

        From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
David Hobley
        Sent: Wednesday, 31 October 2007 10:50
        To: FreeRadius users mailing list
        Subject: Re: Configure authentication via LDAP Group membership
issue
        
        
        All,
        
        I have still not been able to find a solution for this, it looks
like I might be able to use an xlat rule for it, but I can't get my head
around how to write it. Can anyone point me to suitable documentation
for xlat - while I have read all the docco that comes with the
FreeRadius (in /usr/share) I am missing something in order to apply it.
        
        Cheers,
        David
        ----- Original Message -----
        From: "David Hobley" <[EMAIL PROTECTED]>
        To: freeradius-users@lists.freeradius.org
        Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000)
Australia/Brisbane
        Subject: Configure authentication via LDAP Group membership
issue
        
        
        I have set up a VPN pointing to a FreeRadius server and have it
        authenticating successfully against my LDAP server, but I would
also like to
        limit access to only those people who are a member of the VPN
group.
        
        Normally, this would be simple, but because of the LDAP server I
am using,
        the hierarchy looks like this:
        
        User Account:
        
        ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN"
"(uid=firstname.lastname)"
        dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
        uidNumber: 1024
        ...
        
        Group entry is:
        
        ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)"
        dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
        memberUid: 1024
        ...
        
        So I need to somehow configure Radius to search on me, get my
uidNumber and
        then search on the group. If I skip the searching to get the
uidNumber, I
        can configure the Radius (for this single account) correctly:
        
        In the ldap module I include:
                        ...
                        groupname_attribute = cn
                        groupmembership_filter = "(memberUid=1024)"
        with the following entry in the users file:
        
        DEFAULT Auth-Type = LDAP
                Fall-Through = 1
        
        DEFAULT LDAP-Group == "VPN Users"
                Service-Type = Administrative-User
        
        and this works as expected, but is there any way I can
substitute the 1024
        for an ldap search result so I can dynamically return the
uidNumber for the
        %{User-Name} field?
        
        Thanks!
        
        Cheers,
        David
        
        
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
"(memberUid=%{User-Name})" or more robustly, 
groupmembership_filter =
"(&(memberUid=%{Stripped-User-Name:-%{User-Name}})(objectClass=posixGrou
p))"

Regards,
Frank Ranner




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html