subject:"Reject connect based on Ldap Attributes"

Reject connect based on Ldap Attributes

2004-06-23 Thread Lew A

I'm trying to set it up so, when a connection comes in from a certain
NAS-IP-Address, and the user trying to connect has a specific Ldap
Attribute set they won't be able to connect. I haven't been able to
successfully figure out how to do this. I'm using FreeRadius 0.98. It
matches default 93, then does ldap stuff, then because it auths with ldap
is just returns. Is there a way to get it to go back to users so I can
deny based on an ldap attribute?

This is what I have setup:
huntgroup:
ludo   NAS-IP-Address == 255.255.255.255

users:
DEFAULT Auth-Type = Ldap  = default 93
Fall-Through = 1

DEFAULT Huntgroup-Name == ludo, Test == 28, Auth-Type := Reject
Reply-Message = woah.

This is a radtest:
ludo# radtest WWWtstmnky test123 localhost 3 testing123
Sending Access-Request of id 33 to 127.0.0.1:1812
User-Name = WWWtstmnky
User-Password = abc123
NAS-IP-Address = ludo.gwi.net
NAS-Port = 3
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=33, length=32
Test = 28

This is radiusd debugging output:
rad_recv: Access-Request packet from host 127.0.0.1:4948, id=33, length=62
User-Name = WWWtstmnky
User-Password = test123
NAS-IP-Address = 255.255.255.255
NAS-Port = 3
modcall: entering group authorize for request 0
  modcall[authorize]: module preprocess returns ok for request 0
rlm_realm: No '@' in User-Name = WWWtstmnky, looking up realm NULL
rlm_realm: Found realm NULL
rlm_realm: Adding Stripped-User-Name = WWWtstmnky
rlm_realm: Proxying request from user WWWtstmnky to realm NULL
rlm_realm: Adding Realm = NULL
rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module suffix returns noop for request 0
users: Matched DEFAULT at 93
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=Users,o=gwi.net,dc=gwi,dc=net'
radius_xlat:  '(uid=WWWtstmnky)'
ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=gwi,dc=net/jogging cures the common cold
to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter (uid=WWWtstmnky)
ldap_release_conn: Release Id: 0
radius_xlat:
'(|((objectClass=GroupOfNames)(member=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net)))'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter
((cn=true)(|((objectClass=GroupOfNames)(member=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net))((objectClass=GroupOfUniqueNames)(uniquemember=uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net
rlm_ldap: object not found or got ambiguous search result
ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group true not found or user is not a member.
  modcall[authorize]: module files returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for WWWtstmnky
radius_xlat:  '(uid=WWWtstmnky)'
radius_xlat:  'ou=Users,o=gwi.net,dc=gwi,dc=net'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=Users,o=gwi.net,dc=gwi,dc=net, with
filter (uid=WWWtstmnky)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding gidNumber as Test, value 28  op=11
rlm_ldap: user WWWtstmnky authorized to use remote access
ldap_release_conn: Release Id: 0
  modcall[authorize]: module ldap returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Ldap
auth: type LDAP
modcall: entering group Auth-Type for request 0
rlm_ldap: - authenticate
rlm_ldap: login attempt by WWWtstmnky with password test123
rlm_ldap: user DN: uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net
rlm_ldap: (re)connect to localhost:389, authentication 1
rlm_ldap: bind as uid=WWWtstmnky,ou=Users,o=gwi.net,dc=gwi,dc=net/test123
to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: user WWWtstmnky authenticated succesfully
  modcall[authenticate]: module ldap returns ok for request 0
modcall: group Auth-Type returns ok for request 0
Sending Access-Accept of id 33 to 127.0.0.1:4948
Test = 28
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 33 with timestamp 40d985a6
Nothing to do.  Sleeping until we see a request.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reject connect based on Ldap Attributes

2004-06-23 Thread Matthew Schumacher

Lew A wrote:
I'm trying to set it up so, when a connection comes in from a certain
NAS-IP-Address, and the user trying to connect has a specific Ldap
Attribute set they won't be able to connect. I haven't been able to
successfully figure out how to do this. I'm using FreeRadius 0.98. It
matches default 93, then does ldap stuff, then because it auths with ldap
is just returns. Is there a way to get it to go back to users so I can
deny based on an ldap attribute?
This is what I have setup:
huntgroup:
ludo   NAS-IP-Address == 255.255.255.255
users:
DEFAULT Auth-Type = Ldap  = default 93
Fall-Through = 1
DEFAULT Huntgroup-Name == ludo, Test == 28, Auth-Type := Reject
Reply-Message = woah.
I'm doing something similar but I filter this stuff in the ldap search 
filter.  I setup two ldap modules in the radiusd.conf file:

ldap ldap_dsl {
  filter = 
((uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=aptAccount)(aptDSLEnabled=1)(aptAccountEnabled=1))
  dictionary_mapping = ${raddbdir}/ldap_dsl.attrmap
}

ldap ldap_dialup {
  filter = 
((uid=%{Stripped-User-Name:-%{User-Name}})(objectClass=aptAccount)(aptDialupEnabled=1)(aptAccountEnabled=1))
  dictionary_mapping = ${raddbdir}/ldap_dialup.attrmap
}

authorize {
  autztype ldap_dialup { ldap_dialup }
  autztype ldap_dsl { ldap_dsl }
}
Then in my users config file I define which ldap module to use based on nas:
DEFAULT Auth-Type := DSL, NAS-IP-Address == x.x.x.x, Autz-Type := ldap_dsl
  Service-Type = Framed-User,
  Framed-Protocol = PPP,
  Framed-MTU = 1492
DEFAULT Auth-Type := DIALUP, NAS-IP-Address == x.x.x.x, Autz-Type := 
ldap_dialup
  Service-Type = Framed-User,
  Framed-Protocol = PPP,
  Framed-MTU = 1500

That way I can use a completely different search filter and attribute 
set for my dial and dsl nases.  This gives me the ability to assign a 
different dialup and dsl static ip to the same user.

HTH,
schu
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reject connect based on Ldap Attributes

Re: Reject connect based on Ldap Attributes

2 matches

Site Navigation

Mail list logo

Footer information