date:20130902

ldap: multiple radius profiles

2013-09-02 Thread Hachmer, Tobias

Dear listmembers,

I have following setup:


-   Centos 6.4

-   freeradius version: radiusd: FreeRADIUS Version 2.1.12, for host 
x86_64-redhat-linux-gnu, built on Oct  3 2012 at 01:22:51

-   authorization  authentication in ldap (openldap)

What I am trying to achieve is:

-   manage radius profiles completely in ldap with replyItems

-   return reply Items of multiple profiles to a user if he belongs to 
multiple profiles

Example RADIUS Profiles:

dn: uid=aosReadWrite,ou=profiles,ou=radius,dc=example,dc=com
cn: AOS Read-Write
objectClass: radiusObjectProfile
objectClass: radiusProfile
uid: aosReadWrite
radiusReplyItem: Alcatel-Access-Priv += Alcatel-Read-Priv
radiusReplyItem: Alcatel-Access-Priv += Alcatel-Write-Priv
radiusReplyItem: Alcatel-Access-Priv += Alcatel-Admin-Priv
radiusReplyItem: Alcatel-Acce-Priv-F-W1 = 0x
radiusReplyItem: Alcatel-Acce-Priv-F-W2 = 0x

dn: uid=sosReadWrite,ou=profiles,ou=radius, dc=example,dc=com
cn: screenOS Read-Write
objectClass: radiusObjectProfile
objectClass: radiusProfile
uid: sosReadWrite
radiusReplyItem: NS-Admin-Privilege = Root-Admin

Example RADIUS User:

dn: uid=hachmer,ou=users,ou=radius,dc=example,dc=com
cn: Tobias Hachmer
givenName: Tobias
mail: tobias.hach...@stadt-frankfurt.de
radiusServiceType: Administrative-User
sn: Hachmer
uid: hachmer
objectClass: top
objectClass: inetOrgPerson
objectClass: radiusProfile
userPassword:: ...
radiusGroupName: aosReadWrite
radiusGroupName: sosReadWrite

I don't know how to configure FreeRADIUS to read the radiusGroupName 
attribute and attach the configured return Items to the return list.

Using unlang I am able to do this:
if(Ldap-Group == 
cn=aosReadWrite,ou=groups,ou=radius,dc=example,dc=com) {
update reply {
Alcatel-Access-Priv = Alcatel-Read-Priv
Alcatel-Access-Priv += Alcatel-Write-Priv
Alcatel-Access-Priv += Alcatel-Admin-Priv
Alcatel-Acce-Priv-F-W1 := 0x
Alcatel-Acce-Priv-F-W2 := 0x
Alcatel-Asa-Access := All
}
}
if(Ldap-Group == cn=sosReadWrite,ou=groups,ou=radius, 
dc=example,dc=com ) {
update reply {
NS-Admin-Privilege := Root-Admin
}
}

This is working fine but has the disadvantage that I have to configure the 
return items static into freeradius configuration files.
I want to manage these profiles also in ldap. Is this possible?

Kind regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: ldap: multiple radius profiles

2013-09-02 Thread Arran Cudbard-Bell

 
 I don’t know how to configure FreeRADIUS to read the “radiusGroupName” 
 attribute and attach the configured return Items to the return list.

*configured reply items to the reply list.

  
 Using unlang I am able to do this:
 if(Ldap-Group == 
 cn=aosReadWrite,ou=groups,ou=radius,dc=example,dc=com) {
 update reply {
 Alcatel-Access-Priv = Alcatel-Read-Priv
 Alcatel-Access-Priv += Alcatel-Write-Priv
 Alcatel-Access-Priv += Alcatel-Admin-Priv
 Alcatel-Acce-Priv-F-W1 := 0x
 Alcatel-Acce-Priv-F-W2 := 0x
 Alcatel-Asa-Access := All
 }
 }
 if(Ldap-Group == cn=sosReadWrite,ou=groups,ou=radius, 
 dc=example,dc=com ) {
 update reply {
 NS-Admin-Privilege := Root-Admin
 }
 }
  
 This is working fine but has the disadvantage that I have to configure the 
 return items static into freeradius configuration files.

Yes.

 I want to manage these profiles also in ldap. Is this possible?

Well yes, that's the point of RADIUS profile in LDAP.

You need to set the profile_attribute configuration item to 
radiusGroupName. IIRC you also need to use full DNs for the radiusGroupName 
values.

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: radiusclient-ng in Debian

2013-09-02 Thread Daniel Pocock


The FTP masters just accepted the new freeradius-client package, it
should be available to install now using apt-get

I've opened a bug request for removal of the radiusclient-ng package
from the Debian archive




On 19/07/13 19:25, Daniel Pocock wrote:

 On 15/07/13 23:21, Daniel Pocock wrote:

 On 15/07/13 21:51, Alan DeKok wrote:
 Daniel Pocock wrote:
 I just opened this report against radiusclient-ng in Debian (see below),
 can anybody else comment on the situation, in particular, for
 compatibility?  Is there any urgency for Debian to update to the new
 client code?
   It has a number of bugs fixed.  The old radiusclient-ng code is no
 longer maintained.
 I'm in the pkg-voip group at Debian so I can potentially package this
 new version of the library

 I've uploaded this today, it is in Debian's approval queue now

 For anybody who can't wait, packaging artifacts are here:

 Vcs-Git: git://git.debian.org/pkg-voip/freeradius-client.git

 Vcs-Browser:
 http://git.debian.org/?p=pkg-voip/freeradius-client.git;a=summary

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: client code for long extended attributes?

2013-09-02 Thread Daniel Pocock

On 20/07/13 14:56, Alan DeKok wrote:
 Daniel Pocock wrote:
 Should this code be shared with the client project freeradius-client?
   No.  The freeradius-client code is pretty bad.

 Or is it preferred to build a new client (or shared library) from the
 freeradius-server repository eventually?
   The client code is already LGPL'd.  So it could be used as a client.

Could you please clarify that - it is possible to build a client library
from the server source tarball?

In Debian, I see libfreeradius2 built from the server source tarball
but that appears to be server-side library code, or is it also for
client applications?


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: client code for long extended attributes?

2013-09-02 Thread Alan DeKok

Daniel Pocock wrote:
 Could you please clarify that - it is possible to build a client library
 from the server source tarball?

  Yes.  RedHat already packages libfreeradius-radius as a separate RPM,
IIRC.

 In Debian, I see libfreeradius2 built from the server source tarball
 but that appears to be server-side library code, or is it also for
 client applications?

  Yes.  It's a fully-featured LGPL'd RADIUS library.  It handles
everything related to RADIUS.  Sockets, encoding, decoding,
dictionaries, etc.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Fwd: radiusclient-ng in Debian

2013-09-02 Thread Alan DeKok

Daniel Pocock wrote:
 The FTP masters just accepted the new freeradius-client package, it
 should be available to install now using apt-get
 
 I've opened a bug request for removal of the radiusclient-ng package
 from the Debian archive

  Thanks.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Rlm_perl in func_authenticate

2013-09-02 Thread Mehdi Ravanbakhsh

thanks for your replay
On Sep 2, 2013 12:36 AM, Alan DeKok al...@deployingradius.com wrote:

 Mehdi Ravanbakhsh wrote:
  i have some problem in Understanding of capability of  Rlm_perl
  in authenticate ...
 
  if i use this :
 
  DEFAULT  Auth-Type = Perl
  Fall-Through = yes
 
  then all user   authenticate be done with this  Auth-Type ?

   Yes.  That's what you told it to do.

  So what is happen to PAP , CHAP module ?

   They're not called.

  and what is the relation of all module in  authenticate section ?

   Read the comments before the authenticate section.  And doc/aaa.rst.
  This is documented.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: eap-tls ignore client cert expiry check - crazy idea?

2013-09-02 Thread ken.farrington

Hi All,

Just to let you all know I did get all my setup working (took me a while being
not a linux guru) but it does work as expected.  Just in case anyone was
wondering :)

Many thanks all
Ken
:)

On 29 August 2013 at 16:05 ken.farrington ken.farring...@802.co.uk wrote:

  Hi All,
 
  Is there a way if I had 10 clients in my home lab and all the certs expire
 tomorrow, that rather than re-provide all the certs to my clients, I can frigg
 the radius server time, to still accpet them.
 
  Im guessing this is a no, but from what I see, the client cert is presented,
 and check against the server time.
 
  Would this be correct?
 
  Many thanks in advanced
  Ken
 
 
 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: ldap: multiple radius profiles

2013-09-02 Thread Hachmer, Tobias

 I don't know how to configure FreeRADIUS to read the radiusGroupName 
 attribute and attach the configured return Items to the return list.
*configured reply items to the reply list.

Of course, sorry for inaccuracy.

 I want to manage these profiles also in ldap. Is this possible?
Well yes, that's the point of RADIUS profile in LDAP.
You need to set the profile_attribute configuration item to 
radiusGroupName. IIRC you also need to use full DNs for the radiusGroupName 
values.

That was the missing hint. Thank you Arran!
It is working as expected.

Kind regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap: multiple radius profiles

Re: ldap: multiple radius profiles

Re: Fwd: radiusclient-ng in Debian

Re: client code for long extended attributes?

Re: client code for long extended attributes?

Re: Fwd: radiusclient-ng in Debian

Re: Rlm_perl in func_authenticate

Re: eap-tls ignore client cert expiry check - crazy idea?

AW: ldap: multiple radius profiles

9 matches

Site Navigation

Mail list logo

Footer information