Re: authentification
On 2010/05/18 10:47 PM, dorra aa wrote: is there somebody want to tell what's the utility of it? From: dj_dido2...@hotmail.com To: freeradius-users@lists.freeradius.org Subject: authentification Date: Tue, 18 May 2010 19:40:28 + hi freeradius, i want to ask how to use MAC Address Authentication in my freeradius. besides, i add an address mac with the daloradius. how can i test the succes of that thnak you Have a look here. http://catb.org/~esr/faqs/smart-questions.html Also here. http://catb.org/~esr/faqs/smart-questions.html#homework -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on 2.1.7 during HUP
coja wrote: Could you please tell me how i can include my pins file to users file. When i write line like $INCLUDE pins in the beginning of the users file, i can see how that line will disapear after reload or restart. Huh? The users file is reloaded, along with all $INCLUDE files. Maybe try using an absolute path for the $INCLUDE? I use web interface for PIN file and it has special rights for apache. Are there exist ways to do it somehow or i shoul work with users file through interface? Have you thought about using a database? That's really what they're for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory as PKI
Hello freeradius users/admins,
I'm trying to implement EAP-TLS authorization with freeradius and Active
Directory Certificates Service, but I'm stuck here...
With keys/certificates, generated with freeradius makefile(/etc/raddb/certs)
everything is working fine. Here is the hierarchy of keys generated by
freeradius:
Ca.crt(+ca.key)
||
server.crt(+servers.key) //issuer ca.crt
||
client1.crt
client2.crt
. //issuer server.crt
Apart from this scheme, Active Directory stores certificates in a way:
Ca.crt(key in AD and cannot used by freeradius)
||
sub_ca.crt(key in AD and cannot used by freeradius) //issuer ca.crt
||
server.crt(+key) //issuer sub_ca.crt (this is for
private_key_file and certificate_file in freeradius config)
||
client1.crt
client2.crt
. //issuer sub_ca.crt
I'm concatenate ca.crt file with sub_ca.crt, openssl verify produces OK.
# openssl verify -CAfile ca.crt clent.crt
clent.crt: OK
But trying to authenticate from client I got error - unknown_ca. I have
attached full debug log.
client(wpa_supplient) - wifi-access(linksys with dd-wrt) -
server(freeradius-2.1.7)
wpa_supplient.conf:
network={
ssid=work
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
eap=TLS
identity=radius
ca_cert=/home/work/ca.crt
client_cert=/home/work/wifi_client.crt
private_key=/home/work/wifi_client.key
private_key_passwd=
priority=1
}
freeradius relevant section:
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /etc/raddb/certs/win/server.key //generated from
sub_ca
certificate_file = /etc/raddb/certs/win/server.crt //generated from
sub_ca
CA_file = /etc/raddb/certs/win/ca.crt //concatenated ca.crt +
sub_ca.crt from windows store
dh_file = /etc/raddb/certs/dh //generated by makefile
random_file = /etc/raddb/certs/random //generated by makefile
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
}
Note:
Server.crt and client.crt has all necessary extensions(OIDs) - TLS Web Server
Authentication and TLS Web Client Authentication
My question - is it able to organize such scheme - freeradius + windows
certificate center? Is client.crt MUST be issued by server.crt or they both MAY
be issued by higher level ca, like Active Directory does?
If this has been discussed before - please, point me in right direction.Listening on authentication address * port 1812
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.93 port 2048, id=0, length=167
User-Name = koshiko...@agromat.intranet
NAS-IP-Address = 192.168.1.93
Called-Station-Id = 687f7402229e
Calling-Station-Id = 001b77a5bd59
NAS-Identifier = 687f7402229e
NAS-Port = 1
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0220016b6f7368696b6f762e6e406167726f6d61742e696e7472616e6574
Message-Authenticator = 0x6f74a60a7122ce86332f6c12f0a58b2d
+- entering group authorize {...}
++[mschap] returns noop
[ntdomain] No '\' in User-Name = koshiko...@agromat.intranet, looking up realm NULL
[ntdomain] Found realm DEFAULT
[ntdomain] Adding Stripped-User-Name = koshiko...@agromat.intranet
[ntdomain] Adding Realm = DEFAULT
[ntdomain] Authentication realm is LOCAL.
++[ntdomain] returns ok
++[control] returns ok
[eap] EAP packet type response id 0 length 32
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.93 port 2048
EAP-Message = 0x010100060d20
Message-Authenticator = 0x
State = 0x786df611786cfbdfbe03eb20394d9de8
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.93 port 2048, id=0, length=268
Cleaning up request 0 ID 0 with timestamp +68
User-Name = koshiko...@agromat.intranet
NAS-IP-Address = 192.168.1.93
Called-Station-Id = 687f7402229e
Calling-Station-Id = 001b77a5bd59
NAS-Identifier = 687f7402229e
NAS-Port = 1
Framed-MTU = 1400
State = 0x786df611786cfbdfbe03eb20394d9de8
NAS-Port-Type = Wireless-802.11
EAP-Message =
problem whit home_server template
Hello,
I'm workimg with Freeradius 2.1.8.
I would like to use templates in my proxy.conf file to define some home
servers.
My templates.conf file is:
/etc/freeradius# cat templates.conf
templates {
home_server tldrediris {
type = auth+acct
port =1812
secret =
#src_ipaddr = 127.0.0.1
require_message_authenticator = no
response_window = 20
#no_response_fail = no
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}
}
Then, in radiusd.conf I include this file:
$INCLUDE templates.conf
And, if I have in proxy.conf file template = tldrediris, when FreeRADIUS
starts doest take the values defines in templates.conf:
/etc/freeradius# cat proxy.conf
home_server tld-rediris1 {
template = tldrediris
ipaddr = X.X.X.X
}
/etc/freeradius# freeradius -X
FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010
at 14:14:04
. . .
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/templates.conf
including configuration file /etc/freeradius/proxy.conf
. . .
home_server tld-rediris1 {
ipaddr = X.X.X.X
port = 0
response_window = 30
max_outstanding = 65536
zombie_period = 40
status_check = none
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 300
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
/etc/freeradius/proxy.conf[26]: No port, or invalid port defined for home
server tld-rediris1.
In the other hand, if I use $template tldrediris in templates.conf,
FreeRADIUS doesn't know tldrediris:
/etc/freeradius# cat proxy.conf
home_server tld-rediris1 {
$template tldrediris
ipaddr = X.X.X.X
}
/etc/freeradius# freeradius -X
FreeRADIUS Version 2.1.8, for host x86_64-pc-linux-gnu, built on Jan 3 2010
at 14:14:04
. . .
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/templates.conf
including configuration file /etc/freeradius/proxy.conf
WARNING: No such configuration item tldrediris
/etc/freeradius/proxy.conf[27]: Reference tldrediris not found
Errors reading /etc/freeradius/radiusd.conf
I remember this:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59018.html
Sorry for my english and thankyou very much.
--
Ana Gallardo Gómez
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
State of 2.x?
Hi, We're running 1.1.8 on FreeBSD 5.3 and have been delaying the move to 2.x until absolutely necessary. Given the recent libtool22 issues, I'm thinking it's time to move. Just wondering if people would recommend moving now to 2.1.9 or waiting a while longer for a stable 2.2? Thanks -- Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hostname variable ?
Hello Freeradius-Users,
Is there any way to reference hostname (in fact hostname -s) in
configuration files, in order to have identical configuration files tree
on both a normal and a backup freeradius 2.1.8 server ?
For example, to manage differents listen addresse on normal and
backup :
suppose a variable %{hostname} contains result of command hostname -s,
On both normal and backup servers, we could have this :
$INCLUDE %{hostname}.listen.conf
# expands as $INCLUDE normal.listen.conf on so called normal server
# expands as $INCLUDE backup.listen.conf on so called backup server
/etc/raddb/normal.listen.conf :
listen {
type = auth
port = 1812
ipaddr = 10.1.1.1
}
listen {
type = acct
port = 1813
ipaddr = 10.1.1.1
}
.
/etc/raddb/backup.listen.conf
listen {
type = auth
port = 1812
ipaddr = 10.1.1.2
}
listen {
type = acct
port = 1813
ipaddr = 10.1.1.2
}
.
best regards,
Fred
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FTP and Telnet request to RADIUS server
Hi, Can we use RADIUS server to validate the user trying to access the NAS using ftp or telnet session. Regards Arjun prasad - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FTP and Telnet request to RADIUS server
Arjun Prasad wrote: Hi, Can we use RADIUS server to validate the user trying to access the NAS using ftp or telnet session. Will your NAS send RADIUS requests when the user tries to access the NAS using a ftp or telnet session? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hostname variable ?
Fred MAISON wrote:
Is there any way to reference hostname (in fact hostname -s) in
configuration files, in order to have identical configuration files tree
on both a normal and a backup freeradius 2.1.8 server ?
$ENV{HOSTNAME} refers to the environment variable HOSTNAME.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: State of 2.x?
Alex French wrote: We're running 1.1.8 on FreeBSD 5.3 and have been delaying the move to 2.x until absolutely necessary. Given the recent libtool22 issues, I'm thinking it's time to move. Just wondering if people would recommend moving now to 2.1.9 or waiting a while longer for a stable 2.2? Use 2.1.9, which should come out tomorrow or Monday. 2.2.0 is for major new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Building and sending Acct packets
I have some use cases, where I have to send an Accounting packet to an RADIUS Accounting Server to provision the user on this server. The trigger for that accounting packet must not be necessarily an accounting packet, coming from a NAS. It might also be a RADIUS Access Request. I will build the packet, only containing the Acct-status-type = start Calling-station-id = what I got from NAS Filter-id = something And all the things, needed by rfc, like the acct-session-id. So for me, the best option would be to configure a line like provison_serverA What would be the module, I have to configure for that reason? My Process does not require me, to wail for an ACK, to go on. What would be a configuration option for this? Thank You. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: State of 2.x?
Hi, Use 2.1.9, which should come out tomorrow or Monday. been running 2.1.9 on some systems now since its pre-release with no issues noted so far 2.2.0 is for major new features. ...and is therefore likely to be 'unstable' compared to 2.1.x alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: State of 2.x?
Thanks Alan Alan, that's what I wanted to know. -- Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FW: MS AD / OpenLDAP with PAP - is it really not possible ?
Hello I have got application that allow only to authenticate using PAP method. My Goal would bo to use Active Directory as a abckend User Database, but I found that: Once the PAP authentication test has been successful, the next step for sites using Active Directory is to configure the system to perform user authentication against Active Directory. The clear-text passwords are unavailable through Active Directory, so we have to use Samba Is it true ? The same page describing to use ntlm_auth instead, But I cannot found how to pass attributes from LDAP Database using ntlm_auth to Radius Client. Is it possible to reply attributes from LDAP using ntlm_auth ? Best Regars Pawel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: hostname variable ?
Great !
Thanks, Alan.
Le jeudi 20 mai 2010 à 13:39 +0200, Alan DeKok a écrit :
Fred MAISON wrote:
Is there any way to reference hostname (in fact hostname -s) in
configuration files, in order to have identical configuration files tree
on both a normal and a backup freeradius 2.1.8 server ?
$ENV{HOSTNAME} refers to the environment variable HOSTNAME.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certs files missing?
On Wed, May 19, 2010 at 01:25:56PM -0600, shirkavand wrote: $ cd /etc/raddb/certs $ make but in my freeradius installation the certs folder does not have any make file, so if i try to run above commands i get errors. In fact my installation does not have several files that the tutorial suppose that should exist, they are: Any idea why these files are missing? Use the package and you'll probably get the certificates automatically, or find those template example files in /usr/share/doc/freeradius/examples -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Segmentation fault on 2.1.7 during HUP
Alan DeKok-2 wrote: coja wrote: Could you please tell me how i can include my pins file to users file. When i write line like $INCLUDE pins in the beginning of the users file, i can see how that line will disapear after reload or restart. Huh? The users file is reloaded, along with all $INCLUDE files. Maybe try using an absolute path for the $INCLUDE? I use web interface for PIN file and it has special rights for apache. Are there exist ways to do it somehow or i shoul work with users file through interface? Have you thought about using a database? That's really what they're for. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hello All! I solved that problem. I've just written $INCLUDE ./users.other and the problem gone. I can't use databases, because it's so complicated to replicate databases between offices. I store accounting of different brench offices in 5 databases. Ok i will try to find a way how to replicate only the pins file and import it to the databases. Thank You! -- View this message in context: http://old.nabble.com/Segmentation-fault-on-2.1.7-during-HUP-tp28590790p28622279.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius + mysql trouble
I was simply using the debian package manager version, seams to work file for what I need. is version of freeradius supplied by distro or package manager? have you uncommented calls to sql - eg in the default server or inner-tunnel (look in the required/needed sections, eg authorize, authenticate etc). i also note you dont have SSL support so wont be able to do any EAP stuff. alan That was exactly the problem, none of the docs mention that file which is why I missed it. Part way through, it says: Edit /etc/raddb/sites-available/default ... You didn't do that. # /usr/sbin/freeradius -X FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7 2008 at 23:35:34 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building and sending Acct packets
Stefan A. wrote: I have some use cases, where I have to send an Accounting packet to an RADIUS Accounting Server to provision the user on this server. The trigger for that accounting packet must not be necessarily an accounting packet, coming from a NAS. It might also be a RADIUS Access Request. ... So for me, the best option would be to configure a line like provison_serverA What would be the module, I have to configure for that reason? There is no module to do that. My Process does not require me, to wail for an ACK, to go on… What would be a configuration option for this? There is no configuration option to do that. You can run radclient as an external program. See rlm_exec, and man radclient. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: MS AD / OpenLDAP with PAP - is it really not possible ?
Pawel Cieplinski wrote: I have got application that allow only to authenticate using PAP method. My Goal would bo to use Active Directory as a abckend User Database, but I found that: It should work. Once the PAP authentication test has been successful, the next step for sites using Active Directory is to configure the system to perform user authentication against Active Directory. The clear-text passwords are unavailable through Active Directory, so we have to use Samba Is it true ? sigh *IF* you're trying to configure EAP. That is one step out of many. It tests that AD integration works before going on to the next step. The same page describing to use ntlm_auth instead, But I cannot found how to pass attributes from LDAP Database using ntlm_auth to Radius Client. Is it possible to reply attributes from LDAP using ntlm_auth ? No. For PAP, configure AD as an LDAP server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: certs files missing?
Use the package and you'll probably get the certificates automatically So i can avoid to execute make in /usr/share/doc/freeradius/examples etc etc for generating test certificates? then i can use the defaults ones that are stored into /etc/freeradius/certs that came with the normal package installation? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authenticating groups via LDAP
I really didn't want to post here, but I just can't make any headway
with my radius implementation. I am very new at this and still quite
confused on how the various config files function and interact with each
other. So, I'm not surprised that my implementation is only sort of
working.
I have installed freeradius 2.1.8 on Ubuntu Server 8.04 by making deb
packages from the source and installing the deb packages.
Radius is relying on an LDAP server for authentication of wireless
clients. Only clients with valid usernames and passwords in LDAP will
get authenticated.
What I would really like to do (other than actually be able to
understand the concepts behind the config files) is require clients to
be in a particular LDAP group (e.g., wireless-users) in order to
successfully authenticate. I don't understand how to make that happen.
I've tried creating group filters like this in modules/ldap:
groupname_attribute = cn
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_attribute = memberUid
and this in users:
DEFAULT LDAP-GROUP == vpn-users
Service-Type = Administrative-User
But the output seems to indicate that it is not even considering my
radiusd.conf config when it comes to the filter. (see output below).
I would so welcome assistance with this. In addition, is there any
resource that is particularly good at explaining how radius and its
config files really works?
Thanks.
John
# freeradius -X
FreeRADIUS Version 2.1.8, for host i486-pc-linux-gnu, built on May 14
2010 at 09:29:10
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/ldap.dpkg-old
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/counter
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including
wildcard matching on username?
I'm running freeradius 2.1.8 with a MySQL backend. I'm want to do MAC based authentication for network access control on my switch. Is it possible to specify a wildcard for the username (mac address)? That is, if I have a bunch of computers with the same OUI on the NIC's, how do I configure freeradius to just match on the OUI without adding each MAC address as a user? Thanks for any tips and insights. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ISG DHCP relay
On May 18, 2010, at 6:34 AM, Alan Buxey wrote: Hi, not quite in the same category :-P perhaps more people need to read 'how to ask questions...' ? http://catb.org/~esr/faqs/smart-questions.html very good resource! Often, the person telling you to do a search has the manual or the web page with the information you need open, and is looking at it as he or she types. These replies mean that he thinks (a) the information you need is easy to find, and (b) you will learn more if you seek out the information than if you have it spoon-fed to you. You shouldn't be offended by this; by hacker standards, your respondent is showing you a rough kind of respect simply by not ignoring you. You should instead be thankful for this grandmotherly kindness. Made me smile :) -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticating groups via LDAP
On 05/20/2010 05:44 PM, John Maher wrote:
I really didn't want to post here, but I just can't make any headway
with my radius implementation. I am very new at this and still quite
confused on how the various config files function and interact with each
other. So, I'm not surprised that my implementation is only sort of
working.
I have installed freeradius 2.1.8 on Ubuntu Server 8.04 by making deb
packages from the source and installing the deb packages.
Radius is relying on an LDAP server for authentication of wireless
clients. Only clients with valid usernames and passwords in LDAP will
get authenticated.
What I would really like to do (other than actually be able to
understand the concepts behind the config files) is require clients to
be in a particular LDAP group (e.g., wireless-users) in order to
successfully authenticate. I don't understand how to make that happen.
I've tried creating group filters like this in modules/ldap:
groupname_attribute = cn
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_attribute = memberUid
and this in users:
DEFAULT LDAP-GROUP == vpn-users
Service-Type = Administrative-User
But the output seems to indicate that it is not even considering my
radiusd.conf config when it comes to the filter. (see output below).
I would so welcome assistance with this. In addition, is there any
resource that is particularly good at explaining how radius and its
config files really works?
I feel your pain, the ldap module is poorly documented and hard to use.
There is doc in doc/ldap_howto.txt, not sure where that might be
installed on Ubuntu though. Just a caveat about that ldap_howto.txt,
it's a bit out of date and was written with a particular configuration
in mind, but you do need to wrap your head around it to understand where
values are coming from.
ldap-group isn't very meaningful to set in the users file because it's
an attribute in the ldap directory. In fact using the users file isn't
generally useful in combination with with ldap because your users are in
ldap, not a flat file, right? The users file can be useful when you want
to match on the NAS via huntgroups, the ldap_howto does a fair job of
illustrating that. So anyway you won't ever find vpn-users defined via
the users file because the line you have won't be matched by anything
Why? Because group gets set via ldap lookups using the
groupmembership_filter and asking for the groupname_attribute for what
the filter matched. So one question to ask is: is your ldap directory
populated with the object classes and attributes this filter is
searching for?
As an aside one of the very first things I noticed looking at your debug
output is the ldap module was built to use the Novell eDirectory server
(which is a compile time switch). Unless you're using the Novell
eDirectory server rather than a generic directory server things are
going to behave a bit weird. Any idea why it's built to use Novell?
Anyway that's probably not the crux of your problem at the moment, just
a data point. I don't know why the eDirectory #ifdef's are even in
rlm_ldap, to be honest they seem to be odd to put it politely.
I don't have time at the moment to fully analyze what's going on in your
set up but one of the very first things I noticed was this:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
Notice something? Ldap-UserDn was replaced by the empty string and that
search filter isn't going to do you much good is it? So where does
Ldap-UserDn come from? From doing a search in LDAP for the user. If the
user is found then Ldap-UserDn is set to the location at which the user
was found (think of a dn (i.e. distinguished name) as an address or
pointer in an LDAP directory). So how was the search done to find the
user? Well that's just a couple of lines above in the debug output:
[ldap] performing search in dc=cns, with filter (uid=jmaher)
One of the frustrating things about rlm_ldap is it doesn't provide debug
output on successful searches, only failures. There is no failure, so we
assume the search succeeded, but we really don't know what the result
was :-( As a debugging tip I would suggest running ldapsearch on the
command line with the same filter and see what you get back.
You should get back a ldap search result with exactly one match with a
specific dn, that dn is what should be showing up as Ldap-UserDn in
rlm_ldap. So for starters you need to either populate your directory
such that ldapsearch finds your user using the same parameters you
configured in rlm_ldap, or you need to modify the parameters in rlm_ldap
to match your directory such that it can find the user. That's a good
starting place from which you can build further functionality.
Hope
