Checking ldap-group in post-auth instead of users file ?
Hello all,
I encounter difficulties to check for a radiusgroupname via LDAP by not
using file /etc/raddb/users, as this seems to be difficult to avoid ldap
checks for anonymous identities if default config is modified.
I must service eap-peap and eap-ttls with mschapv2.
How can i make checks on ldap radiusgroupnale without using the user
file ?
I have not been able to place somthing like this in the post-auth
section of inner-tunnel ...
if ( %{control:Ldap-Group} == wireless ) {
noop
} else {
reject
}
I trie to replace this in users :
# for proxy.conf to work :
DEFAULT Realm == myreal.com
reply-Message += real is %{Realm}
DEFAULT Auth-Type == EAP, EAP-Type == Cisco-LEAP, Ldap-Group == wireless
reply-Message = Cisco-LEAP match in users : EAP-Type%{EAP-Type}
DEFAULT Auth-Type == EAP, EAP-Type == Generic-Token-Card, Ldap-Group ==
wireless
reply-Message = match in users : EAP-Type:%{EAP-Type}
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Ldap-Group == wireless
reply-Message += in %{Virtual-Server}, proxy %{FreeRADIUS-proxied-To},
EAP-Type:%{EAP-Type}
DEFAULT Auth-Type == EAP
reply-Message += in users : EAP-Type:%{EAP-Type}
DEFAULT Auth-Type := Reject
Reply-Message += Please call the helpdesk.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
On Tue, Jun 01, 2010 at 12:41:38PM +0200, Fred MAISON wrote:
I have not been able to place somthing like this in the post-auth
section of inner-tunnel ...
if ( %{control:Ldap-Group} == wireless ) {
noop
} else {
reject
}
You have not been able to do that?
What error message did 'freeradius -X' report?
--
2. That which causes joy or happiness.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
Fred MAISON wrote:
How can i make checks on ldap radiusgroupnale without using the user
file ?
Use attribute comparisons just like the users file.
I have not been able to place somthing like this in the post-auth
section of inner-tunnel ...
if ( %{control:Ldap-Group} == wireless ) {
This isn't like the users file.
if (LDAP-Group == wireless) {
...
}
The extra ${control:...} text isn't necessary.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
I surely misunderstand something : in my test :
User is found on ldap in group wireless, but (Ldap-Group != wireless)
evaluates to TRUE ...
NOTE : user has multiple radiusgroupname
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++? if (Ldap-Group != wireless)
[ldap] Entering ldap_groupcmp()
expand: dc=corp,dc=carrefour,dc=com -
dc=corp,dc=carrefour,dc=com
expand: %{Stripped-User-Name} -
... expanding second conditional
expand: %{User-Name} - stephane_deroch
expand: ((uid=
%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusProfile)) -
((uid=stephane_deroch)(objectclass=radiusProfile))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=corp,dc=carrefour,dc=com, with filter
((radiusGroupName=wireless)((uid=stephane_deroch)(objectclass=radiusProfile)))
rlm_ldap::ldap_groupcmp: User found in group wireless
[ldap] ldap_release_conn: Release Id: 0
? Evaluating (Ldap-Group != wireless) - TRUE
++? if (Ldap-Group != wireless) - TRUE
++- entering if (Ldap-Group != wireless) {...}
+++[control] returns noop
+++[reject] returns reject
++- if (Ldap-Group != wireless) returns reject
} # server inner-tunnel
[peap] Got tunneled reply code 3
Le mardi 01 juin 2010 à 15:23 +0200, Alan DeKok a écrit :
Fred MAISON wrote:
How can i make checks on ldap radiusgroupnale without using the user
file ?
Use attribute comparisons just like the users file.
I have not been able to place somthing like this in the post-auth
section of inner-tunnel ...
if ( %{control:Ldap-Group} == wireless ) {
This isn't like the users file.
if (LDAP-Group == wireless) {
...
}
The extra ${control:...} text isn't necessary.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
Fred MAISON wrote:
I surely misunderstand something : in my test :
User is found on ldap in group wireless, but (Ldap-Group != wireless)
evaluates to TRUE ...
Err that's fairly broken right now. Try:
if (!(LDAP-Group == wireless)) {
...
The reasons for this nonsense are buried inside of the rlm_ldap module.
As always, patches are welcome. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Checking ldap-group in post-auth instead of users file ?
Thanks, Alan.
It seems to work with the following :
in sites-enabled/default :
post-auth {
if ( EAP-Type == Cisco-LEAP ) {
if (!(Ldap-Group == wireless)) {
fail
}
}
.
in sites-anabled/inner-tunnel :
post-auth {
if ( !(Ldap-Group == wireless )) {
fail
}
Le mardi 01 juin 2010 à 16:03 +0200, Alan DeKok a écrit :
Fred MAISON wrote:
I surely misunderstand something : in my test :
User is found on ldap in group wireless, but (Ldap-Group != wireless)
evaluates to TRUE ...
Err that's fairly broken right now. Try:
if (!(LDAP-Group == wireless)) {
...
The reasons for this nonsense are buried inside of the rlm_ldap module.
As always, patches are welcome. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
