Hallo Stephan,
anbei die gewünschte Datei. Das LDAP-Passwort habe ich natürlich durch
24aphanumerischeZeichen ersetzt. Wer weiß,welche Schüler meine email
scannen ;-)
Was sagt
getent group p_wifi
auf Deinem Server?
Gruß Jürgen
Am 06.10.2016 um 10:11 schrieb zefanja:
> Hallo Juergen,
>
> ich habe es probiert, aber noch ohne Erfolg. Könntest du mir bitte mal
> deine LDAP-conf schicken (/etc/freeradius/module/ldap)? Ich habe die
> Vermutung, dass es an irgendwelchen Einstellungen dort liegt.
>
> Nutzt du die LMN 6.2?
Ja, sogar 6.2.1. Als "early adopter" spiele ich in meiner Testumgebung
jedes Update sofort ein ;-)
>
> Derzeit bekomme ich folgende Ausgabe, wenn ich mit einem Lehreraccount
> teste:
>
> [ldap] performing search in ou=accounts,dc=example,dc=com, with filter
> (&(cn=p_wifi)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
> rlm_ldap::ldap_groupcmp: Group p_wifi not found or user is not a member.
Obiges Kommando sagt Dir, ob er Recht hat oder ob er den LDAP-Server gar
nicht gefragt hat.
>
> vG Stephan
>
> Am 04.10.2016 um 11:56 schrieb Juergen Engeland:
>> Hallo Stephan,
>>
>> [...]
>>
>> Gruß Jürgen
>>
>>
>>
>> Am 04.10.2016 um 01:17 schrieb zefanja:
>>> Hallo Holger,
>>>
>>>> das oben genannte steht bei mir in einer 6.2 weder in der radius.conf
>>>> auf dem server noch in der auf dem chilli.
>>> Mein Fehler, ich meine die users.conf
>> Die Datei ist
>> /etc/freeradius/users
>>> im gleichen Verzeichnis. Die
>>> Einträge kommen von hier:
>>> https://github.com/linuxmuster/linuxmuster-base/blob/feature/grub2/var/config-static/etc/freeradius/users
>> Ob das auch funktionieren würde, weiß ich nicht.
>>> Ich habe mir noch mal die Doku
>>> (http://wiki.freeradius.org/modules/rlm_ldap#group-support) bei
>>> freeradius angeschaut und wenn ich das richtig verstanden habe, sollte
>>> es eigentlich eher
>>> DEFAULT Ldap-Group != teachers heißen, oder?
>> Mein Eintrag ist
>> DEFAULT Group != "p_wifi", Auth-Type := Reject
>>> Ich komme leider erst morgen wieder dazu, es zu testen.
>>>
>>> vG Stephan
>>> _______________________________________________
>>> linuxmuster-user mailing list
>>> [email protected]
>>> https://mail.lehrerpost.de/mailman/listinfo/linuxmuster-user
>>>
>> _______________________________________________
>> linuxmuster-user mailing list
>> [email protected]
>> https://mail.lehrerpost.de/mailman/listinfo/linuxmuster-user
>>
> _______________________________________________
> linuxmuster-user mailing list
> [email protected]
> https://mail.lehrerpost.de/mailman/listinfo/linuxmuster-user
>
# -*- text -*-
#
# $Id$
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication.
#
# See raddb/sites-available/default for reference to the
# ldap module in the authorize and authenticate sections.
#
# However, LDAP can be used for authentication ONLY when the
# Access-Request packet contains a clear-text User-Password
# attribute. LDAP authentication will NOT work for any other
# authentication method.
#
# This means that LDAP servers don't understand EAP. If you
# force "Auth-Type = LDAP", and then send the server a
# request containing EAP authentication, then authentication
# WILL NOT WORK.
#
# The solution is to use the default configuration, which does
# work.
#
# Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
#
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "localhost"
identity = "cn=admin,dc=linuxmuster-net,dc=lokal"
password = 24alphanumerischeZeichen
basedn = "ou=accounts,dc=linuxmuster-net,dc=lokal"
filter = "(uid=%u)"
#base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
# access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
#
https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
# compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = yes
#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
# chase_referrals = yes
# rebind = yes
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
}
_______________________________________________
linuxmuster-user mailing list
[email protected]
https://mail.lehrerpost.de/mailman/listinfo/linuxmuster-user
