combining LDAP and SQL
Hi,
I've got a working (my)sql freeradius2.1 configuration where users are put in
groups (usergroup). I added an 'IP' column to radgroupcheck table so that I can
force radius clients into some groups (via %{Client-IP-Address} ) .
This allows me to say who can connect from where (WiFi, Dialup,
StudentRooms,...) and have users in multiple groups
Up to now all my users are stored in the db.
I'm now asked to integrate a new LDAP server into the equation.
Not all users will be put in LDAP (guest users, conference groups will stay in
the DB). So there still be users in the DB.
All LDAP users have to be granted WiFi access.
Other access are DB dependent (dialup,StudentRooms,...)
I've tried to add both ldap and sql authorization but I've got trouble limiting
LDAP users.
This is how it should work:
a: if LDAP OK and client is in WiFi accept
b: if LDAP OK and user in usergroup for the right group (%{Client-IP-Address}
dependent) accept
c: if LDAP !OK do the classic sql processing.
If I understand well the usual sql process is as follows:
1. check user in radcheck
2. if found check user in usergroup
3. if found check radgroupcheck
But if LDAP knows the user I've got to add 'WiFi' group to the result of the
usergroup query and skip the radcheck query
Do you see a way through this?
Thanks for reading me.
Michel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re:Re: Read radius client from database
Hi seems to me you are missing rlm_sql, when I start radiusd -X I get the following lines: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked .. rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret FROM nas this last line is then followed by rlm_sql (sql): Read entry nasname=127.0.0.1,shortname=localhost,secret=secretpw .. Maybe you didn't configure sql right. In freeradius2 Uncomment sql in raddb/sites-enabled/default Check you raddb/sql.conf file in freeradius1 uncomment sql (authorize section) in radiusd.conf and adapt sql.conf Michel Debug Trace: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/jradius.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded jradius jradius: name = example jradius: primary = 127.0.0.1 jradius: secondary = 192.168.1.2:1815 jradius: tertiary = 192.168.1.2:1816 jradius: timeout = 1 jradius: onfail = NOOP jradius: keepalive = yes jradius: connections = 8 rlm_jradius: configuring jradius server 127.0.0.1:1814 rlm_jradius: configuring jradius server 192.168.1.2:1815 rlm_jradius: configuring jradius server 192.168.1.2:1816 rlm_jradius: starting JRadius connection 0 rlm_jradius: starting JRadius connection 1 rlm_jradius: starting JRadius connection 2 rlm_jradius: starting JRadius connection 3 rlm_jradius: starting JRadius connection 4 rlm_jradius: starting JRadius connection 5 rlm_jradius: starting JRadius connection 6 rlm_jradius: starting JRadius connection 7 Module:
