Checking ldap-group in post-auth instead of users file ?
Hello all, I encounter difficulties to check for a radiusgroupname via LDAP by not using file /etc/raddb/users, as this seems to be difficult to avoid ldap checks for anonymous identities if default config is modified. I must service eap-peap and eap-ttls with mschapv2. How can i make checks on ldap radiusgroupnale without using the user file ? I have not been able to place somthing like this in the post-auth section of inner-tunnel ... if ( %{control:Ldap-Group} == wireless ) { noop } else { reject } I trie to replace this in users : # for proxy.conf to work : DEFAULT Realm == myreal.com reply-Message += real is %{Realm} DEFAULT Auth-Type == EAP, EAP-Type == Cisco-LEAP, Ldap-Group == wireless reply-Message = Cisco-LEAP match in users : EAP-Type%{EAP-Type} DEFAULT Auth-Type == EAP, EAP-Type == Generic-Token-Card, Ldap-Group == wireless reply-Message = match in users : EAP-Type:%{EAP-Type} DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Ldap-Group == wireless reply-Message += in %{Virtual-Server}, proxy %{FreeRADIUS-proxied-To}, EAP-Type:%{EAP-Type} DEFAULT Auth-Type == EAP reply-Message += in users : EAP-Type:%{EAP-Type} DEFAULT Auth-Type := Reject Reply-Message += Please call the helpdesk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
On Tue, Jun 01, 2010 at 12:41:38PM +0200, Fred MAISON wrote: I have not been able to place somthing like this in the post-auth section of inner-tunnel ... if ( %{control:Ldap-Group} == wireless ) { noop } else { reject } You have not been able to do that? What error message did 'freeradius -X' report? -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
Fred MAISON wrote: How can i make checks on ldap radiusgroupnale without using the user file ? Use attribute comparisons just like the users file. I have not been able to place somthing like this in the post-auth section of inner-tunnel ... if ( %{control:Ldap-Group} == wireless ) { This isn't like the users file. if (LDAP-Group == wireless) { ... } The extra ${control:...} text isn't necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
I surely misunderstand something : in my test : User is found on ldap in group wireless, but (Ldap-Group != wireless) evaluates to TRUE ... NOTE : user has multiple radiusgroupname +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok +- entering group post-auth {...} ++? if (Ldap-Group != wireless) [ldap] Entering ldap_groupcmp() expand: dc=corp,dc=carrefour,dc=com - dc=corp,dc=carrefour,dc=com expand: %{Stripped-User-Name} - ... expanding second conditional expand: %{User-Name} - stephane_deroch expand: ((uid= %{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusProfile)) - ((uid=stephane_deroch)(objectclass=radiusProfile)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=corp,dc=carrefour,dc=com, with filter ((radiusGroupName=wireless)((uid=stephane_deroch)(objectclass=radiusProfile))) rlm_ldap::ldap_groupcmp: User found in group wireless [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group != wireless) - TRUE ++? if (Ldap-Group != wireless) - TRUE ++- entering if (Ldap-Group != wireless) {...} +++[control] returns noop +++[reject] returns reject ++- if (Ldap-Group != wireless) returns reject } # server inner-tunnel [peap] Got tunneled reply code 3 Le mardi 01 juin 2010 à 15:23 +0200, Alan DeKok a écrit : Fred MAISON wrote: How can i make checks on ldap radiusgroupnale without using the user file ? Use attribute comparisons just like the users file. I have not been able to place somthing like this in the post-auth section of inner-tunnel ... if ( %{control:Ldap-Group} == wireless ) { This isn't like the users file. if (LDAP-Group == wireless) { ... } The extra ${control:...} text isn't necessary. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
Fred MAISON wrote: I surely misunderstand something : in my test : User is found on ldap in group wireless, but (Ldap-Group != wireless) evaluates to TRUE ... Err that's fairly broken right now. Try: if (!(LDAP-Group == wireless)) { ... The reasons for this nonsense are buried inside of the rlm_ldap module. As always, patches are welcome. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
Thanks, Alan. It seems to work with the following : in sites-enabled/default : post-auth { if ( EAP-Type == Cisco-LEAP ) { if (!(Ldap-Group == wireless)) { fail } } . in sites-anabled/inner-tunnel : post-auth { if ( !(Ldap-Group == wireless )) { fail } Le mardi 01 juin 2010 à 16:03 +0200, Alan DeKok a écrit : Fred MAISON wrote: I surely misunderstand something : in my test : User is found on ldap in group wireless, but (Ldap-Group != wireless) evaluates to TRUE ... Err that's fairly broken right now. Try: if (!(LDAP-Group == wireless)) { ... The reasons for this nonsense are buried inside of the rlm_ldap module. As always, patches are welcome. :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html