Re: unlang post-auth group-name
On 09/27/2010 01:09 AM, Cameron Wood wrote:
Are we talking about Group-Name (which is implemented by the unix
module and comes from /etc/group) or Ldap-Group (which is
implemented by the ldap module and comes from ldap lookups)?
Both implement their own == hooks so the same constraints apply, but
the difference is relevant of course!
I honestly don't know which one I should be using; the information is in
LDAP, the local system is configured for LDAP and issuing the groups
command returns the local and LDAP groups the user is assigned to. Would
this suggest that I could just use Group-Name, making use of the unix
module?
If you can query LDAP directly, do so. Do not use rlm_unix for LDAP
queries, even if nssswitch is setup for it.
Below you show an attempt to match both in turn. For Group-Name, the
comparison seems to fail; implying that either the unix module
isn't configured/loaded or the username isn't in the group you're
matching.
I read through the debug log to check that the unix module is getting
loaded, which it appears to be, I'm not aware of any configuration that
needs to be provided for that module, is there any? As for the user
No. As long as the module is being instantiated (which it is) then
Group-Name should work.
being in the group that is definitely the case, I have verified this
locally on the system, and the Group-Name comparison in Users succeeds
for this case.
Really? Hmm.
If you are trying to match (ldap) Ldap-Group, you will need to
ensure that the LDAP directory is correctly populated.
This I am looking into, to my knowledge it is correctly setup as there
are lots of other systems around our organisation that are referencing
this successfully, but I wonder if the LDAP module is configured
correctly, maybe there is a problem with the search string/query?
I think there might be actually; you have:
groupmembership_filter = ...(member=%{Ldap-UserDn}...
...but the default/sample configs that come with the server have:
groupmembership_filter = ...(member=%{control:Ldap-UserDn}...
That control: is important. Which version of the server are you using
and where did you get the configs from? If you replace Ldap-UserDn
with control:Ldap-UserDn (it appears twice in the group filter) does
it work?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: radius client / send NAS IP ?
Hello Alan, sorry, my fault :-) radclient saves my day, indeed i can send any attribute / value pair i like thanks for your help Micha - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang post-auth group-name
: Bind was successful
[ldap] user cameron authenticated succesfully
++[ldap] returns ok
+- entering group post-auth {...}
[reply_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -
/var/log/radius/radacct/192.168.20.242/reply-detail-20100927
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.20.242/reply-detail-20100927
[reply_log] expand: %t - Mon Sep 27 19:20:50 2010
++[reply_log] returns ok
++[exec] returns noop
expand: %{client:vendor} - adva
++- entering switch %{client:vendor} {...}
+++- entering case adva {...}
expand: %{control:Tmp-String-1} -
- entering switch %{control:Tmp-String-1} {...}
+- switch %{control:Tmp-String-1} returns noop
- case adva returns noop
+++- case adva returns noop
++- switch %{client:vendor} returns noop
Sending Access-Accept of id 220 to 192.168.20.242 port 26154
NS-Admin-Privilege = Root-Admin
Adva-UUM-User-Level = Root
Foundry-INM-Privilege = AAA_pri_15
Cisco-AVPair = shell:priv-lvl=15
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 220 with timestamp +16
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap-tls certificates
Hi. I'm in the process of setting up freeradius 2.1.9 on debian lenny/sparc. I've got everything working for eap tls with the self signed certificates that come with freeradius. This is working well for macs and some smartphones but I'm having trouble with windows machines. My research indicates that buying a certificate from a known CA will solve my problems (or I believe I could import a certificate into the windows devices but with up to 1000 clients I'd prefer not to have to do this). Can anyone confirm if this is the case? If so, is there a specific type of certificate I need to buy that would include some 'extensions' that I'm told windows clients require. Cheers -- Pete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang post-auth group-name
Hi,
rlm_ldap: Entering ldap_groupcmp()
expand: dc=ac3,dc=com,dc=au - dc=ac3,dc=com,dc=au
expand:
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))
-
(|((objectClass=GroupOfNames)(member=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau))((objectClass=posixGroup)(memberUid=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ac3,dc=com,dc=au, with filter
((cn=net_su)(|((objectClass=GroupOfNames)(member=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau))((objectClass=posixGroup)(memberUid=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau)))
rlm_ldap: ldap_search() failed: Bad search filter:
((cn=net_su)(|((objectClass=GroupOfNames)(member=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau))((objectClass=posixGroup)(memberUid=uid\3dcameron\2cou\3dPeople\2cdc\3dac3\2cdc\3dcom\2cdc\3dau)))
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Search returned error
note the rlm_ldap: ldap_search() failed: Bad search filter line
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sending accounting for two home servers
Evgeniy Kozhuhovskiy wrote: Thnx. Already. But is it possible to do such thing without accounting files enabled? What does that mean? Not that it matters... the way to send accounting packets to two locations is via the method I previously described. If you want to use another method, patch the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang post-auth group-name
On 27/09/10 11:44, Cameron Wood wrote:
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))
groupmembership_attribute = radiusGroupName
Attached is a debug log of my logon attempts with these settings, which
still fails unfortunately.
The filter is invalid. You're missing a trailing ) which is easily
done in the stupid LDAP filter syntax.
If you can query LDAP directly, do so. Do not use rlm_unix for LDAP
queries, even if nssswitch is setup for it.
Noted, are you able to elaborate on why this is the case though, just
like to understand, only if its not too much trouble though.
Two main reasons: firstly, doing the LDAP lookups indirectly via
rlm_unix is difficult to debug (as we are finding).
Secondly, doing the LDAP lookups directly gives you a more rich
interface to the underlying LDAP data. Doing it via rlm_unix limits you
to schema elements present in the posix LDAP schema and get*ent calls.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop user's time
hello. I have freeradius2 on my centOS and it works fine! But now i want to add new feature. I want to disable user and stop his time. I am disabling user by adding auth-type := reject but he's time is not stopping. How can i stop user's time? For example user john have 25 days and i disabled this user for 2 days. This 25 days must be continue after 2 days. I hope there is a solution. Sorry for my bad English :( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additional Restrictions for users
Alan,
Thanks that helped I've got the conditions to match. However I've
setup multiple groups:
ssh-admin
ssh-read
ssh-write
and want to use a regexp to match anything containing ssh-* to allow
those users to authenticate instead of multiple lines matching each
value. Can I use regex matching with SQL-Group ?
The following seems to be evaluated as ssh.* and not anything
containing ssh..
if (!SQL-Group =~ /ssh.*/ (Service-Type == Login-User)) {
.reject }
Sincerely,
William Burnett
burnet...@gmail.com
On Sat, Sep 25, 2010 at 12:09 AM, Alan DeKok al...@deployingradius.com wrote:
William Burnett wrote:
What is the best way to go about this? I was trying to use unlang to
query my database but can't seem to get the syntax right.
The sql module queries databases.
...
if ( %{group_membership_query} == ssh) {
This won't do what you want. Instead, use
if (SQL-Group == ssh) {
This is documented in raddb/sql.conf.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sending accounting for two home servers
Thnx. Already. But is it possible to do such thing without accounting files enabled? What does that mean? Not that it matters... the way to send accounting packets to two locations is via the method I previously described. If you want to use another method, patch the server. May be we've misunderstood each other. But, as far I understand, you suggest such scheme: First, we're proxying packet to home_server1 using realm module Second, we store packet in pre_proxy_log Then, we read it using detail listener from another virtual server Last, we proxy it again using Proxy-To-Realm from second virtual server Or not? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additional Restrictions for users
William Burnett wrote: Thanks that helped I've got the conditions to match. However I've setup multiple groups: ... and want to use a regexp That won't work. The current code checks for equality, not regex. to match anything containing ssh-* to allow those users to authenticate instead of multiple lines matching each value. Can I use regex matching with SQL-Group ? Nope. But if you patch the code, it might work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Additional Restrictions for users
William Burnett burnet...@gmail.com wrote:
Thanks that helped I've got the conditions to match. However I've
setup multiple groups:
ssh-admin
ssh-read
ssh-write
and want to use a regexp to match anything containing ssh-* to allow
those users to authenticate instead of multiple lines matching each
value. Can I use regex matching with SQL-Group ?
The following seems to be evaluated as ssh.* and not anything
containing ssh..
if (!SQL-Group =~ /ssh.*/ (Service-Type == Login-User)) {
.reject }
Does not work like that. You will need to construct a SQL xlat
statement that does the check for you, so:
if (%{sql:SELECT } ) {
or however SQL modules function, I'm an LDAP man myself.
Cheers
--
Alexander Clouter
.sigmonster says: Are you a turtle?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problema con la instalacion freeradius en debian
Hola Samuel, es mejor cuando envias los correos en ingles ya que la mayoría hablan el idioma y no es muy correcto enviar los correos en idiomas que no comprenden. ¿Como estas instalando el programa? Saludos. Alfonso. El 27/09/2010 03:59 p.m., Samuel Isaias Barriga Perez escribió: Estimados: Estoy tratando de configurar un servidor Radius (Freeradius) en debian (Lenny), el problema es que cuando uso el comando radisud -XX el resultado me da el siguiente: radius01:~# radiusd -XX Mon Sep 27 20:49:45 2010 : Info: FreeRADIUS Version 2.1.9, for host x86_64-unknown-linux-gnu, built on Sep 27 2010 at 02:41:08 Mon Sep 27 20:49:45 2010 : Info: Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. Mon Sep 27 20:49:45 2010 : Info: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A Mon Sep 27 20:49:45 2010 : Info: PARTICULAR PURPOSE. Mon Sep 27 20:49:45 2010 : Info: You may redistribute copies of FreeRADIUS under the terms of the Mon Sep 27 20:49:45 2010 : Info: GNU General Public License v2. Mon Sep 27 20:49:45 2010 : Info: Starting - reading configuration files ... Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/radiusd.conf Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/proxy.conf Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/clients.conf Mon Sep 27 20:49:45 2010 : Debug: including files in directory /usr/local/etc/raddb/modules/ Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/exec Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/inner-eap Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/pap Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/smsotp Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/preprocess Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/detail.log Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/attr_filter Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/echo Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/expiration Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/policy Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/ldap Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/expr Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/unix Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/wimax Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/always Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/krb5 Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/ntlm_auth Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/mac2vlan Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/digest Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/linelog Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/detail Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/pam Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/attr_rewrite Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/passwd Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/files Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/realm Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/mac2ip Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/etc_group Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/checkval Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/radutmp Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/acct_unique Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/cui Mon Sep 27 20:49:45 2010 : Debug: including configuration file /usr/local/etc/raddb/modules/sradutmp Mon Sep 27 20:49:45 2010 : Debug: including
