Re: Trouble getting groups working in ldap
using a Cisco 3005 concentrator I am using Radius / LDAP on Suse 9.0 ES. I am having trouble getting groups working. I would like to have a group in LDAP called vpn-users and be able to put the user in that group for Radius authentication. radius.conf ldap { server = "ldap.arnoldtrans.lcl" identity = "cn=Manager,dc=arnoldtrans,dc=lcl" password = "Arn0Ld" basedn = "dc=arnoldtrans,dc=lcl" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # password_header = "{clear}" # password_attribute = userPassword access_group = "cn=vpn-users,ou=Groups,dc=arnoldtrans,dc=lcl" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = "vpn-user" timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } users DEFAULT Auth-Type = LDAP Fall-Through = 1 Douglas Sterner Network Analyst Arnold Transportation Services 451 Freight Street Camp Hill, PA 17011 Phone (717) 703 - 5212 Ext 5473
LDAP & Radius
Does someone have a good howto on setting up Radius to make use of an LDAP group. I read the ldap docs at freeradius.org and that seemed like overkill I just want to have a group and put the user in the group to give them access? Douglas Sterner
Time to give back, Samba LDAP with FreeRadius
If this is off topic I apologize in advance. Using Samba 3.0.13 with an LDAP back-end and FreeRadius I was trying to add the Radius schema and kept getting object class violations. It's my limited understanding of LDAP that you can not have more than one structural objectclass. I'm no ldap expert so no email telling me how wrong I am. So I came up with a another solution. Using the Windows NT user manager in samba you can grant dialin permission to a user and authenticate against Radius on the back-end. We currently already depend on User Manager for other things so this helped to centralize our management of our VPN users. All you have to do is select the user / Dialin / Grant Dialin permission to user and apply. Using a working Samba LDAP configuration there is nothing in samba or LDAP to configure it's automatic. I've included the changes necessary in a working radius server to complete it. We have been using this in a Suse ES 9 production environment with great success against a Cisco VPN concentrator for remote user authentication. Radius Config files Clients.conf client 127.0.0.1 { secret = mysecretpassword shortname = localhost nastype = other # localhost isn't usually a NAS... } client 192.168.XXX.XXX/24 { secret = mysecretpassword shortname = internal-network nastype = other } Users DEFAULT Auth-Type = LDAP radius.conf ldap { server = "ldap.mydomain.lcl" identity = "cn=Manager,dc=mydomain,dc=lcl" password = "myldappassword" basedn = "dc=mydomain,dc=lcl" #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" filter = "(&(uid=%u)(SambaMungedDial=bQA6ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABkAAkAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA))" # set this to 'yes' to use TLS encrypted connections # to the LDAP database by using the StartTLS extended # operation. # The StartTLS operation is supposed to be used with normal # ldap connections instead of using ldaps (port 689) connections start_tls = no #default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" #profile_attribute = "radiusProfileDn" #access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # password_header = "{clear}" # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # access_attr_used_for_allow = yes } Douglas Sterner Network Analyst
Re: [Samba] Time to give back, Samba LDAP with FreeRadius
First you are clearly off topic for the samba list this is clearly a radius config issue. Second in order to use ldap.attrmap you must have the file ldap.attrmap in /etc/raddb for Suse Linux This information is available in the radius ldap documentation. example # # Mapping of RADIUS dictionary attributes to LDAP directory attributes # to be used by LDAP authentication and authorization module (rlm_ldap) # # Format: # ItemType RADIUS-Attribute-Name ldapAttributeName # # Where: # ItemType = checkItem or replyItem # RADIUS-Attribute-Name = attribute name in RADIUS dictionary # ldapAttributeName = attribute name in LDAP schema # # If $GENERIC$ is specified as RADIUS-Attribute-Name, the line specifies # a LDAP attribute which can be used to store any RADIUS # attribute/value-pair in LDAP directory. # # You should edit this file to suit it to your needs. # checkItem $GENERIC$ radiusCheckItem replyItem $GENERIC$ radiusReplyItem checkItem Auth-Type radiusAuthType checkItem Simultaneous-Use radiusSimultaneousUse checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem SMB-Account-CTRL-TEXT acctFlags checkItem Expiration radiusExpiration replyItem Service-Type radiusServiceType replyItem Framed-Protocol radiusFramedProtocol replyItem Framed-IP-Address radiusFramedIPAddress replyItem Framed-IP-Netmask radiusFramedIPNetmask replyItem Framed-Route radiusFramedRoute replyItem Framed-Routing radiusFramedRouting replyItem Filter-Id radiusFilterId replyItem Framed-MTU radiusFramedMTU replyItem Framed-Compression radiusFramedCompression replyItem Login-IP-Host radiusLoginIPHost replyItem Login-Service radiusLoginService replyItem Login-TCP-Port radiusLoginTCPPort replyItem Callback-Number radiusCallbackNumber replyItem Callback-Id radiusCallbackId replyItem Framed-IPX-Network radiusFramedIPXNetwork replyItem Class radiusClass replyItem Session-Timeout radiusSessionTimeout replyItem Idle-Timeout radiusIdleTimeout replyItem Termination-Action radiusTerminationAction replyItem Login-LAT-Service radiusLoginLATService replyItem Login-LAT-Node radiusLoginLATNode replyItem Login-LAT-Group radiusLoginLATGroup replyItem Framed-AppleTalk-Link radiusFramedAppleTalkLink replyItem Framed-AppleTalk-Network radiusFramedAppleTalkNetwork replyItem Framed-AppleTalk-Zone radiusFramedAppleTalkZone replyItem Port-Limit radiusPortLimit replyItem Login-LAT-Port radiusLoginLATPort Douglas Sterner Network Analyst "Adi Nugraha" <[EMAIL PROTECTED]> 04/11/2005 11:44 PM To: , "Douglas Sterner" <[EMAIL PROTECTED]> cc: , <[EMAIL PROTECTED]> Fax to: Subject: Re: [Samba] Time to give back, Samba LDAP with FreeRadius Hi I'd like toask about the conf fiel you posted here is there aby mistake in it because I tried to use it but it failed with the following message Tue Apr 12 10:11:59 2005 : Info: Starting - reading configuration files ... Tue Apr 12 10:11:59 2005 : Error: config: No such entry raddbdir for string ${raddbdir}/ldap.attrmap Tue Apr 12 10:11:59 2005 : Error: Errors reading radiusd.conf I'm trying to setup a wireless authentication using the LDAP backend containing samba user as well can you help me with this Thanks ----- Original Message - From: "Douglas Sterner" <[EMAIL PROTECTED]> To: Cc: ; <[EMAIL PROTECTED]> Sent: Thursday, April 07, 2005 7:13 AM Subject: [Samba] Time to give back, Samba LDAP with FreeRadius > If this is off topic I apologize in advance. Using Samba 3.0.13 with an > LDAP back-end and FreeRadius I was trying to add the Radius schema and > kept getting object class violations. It's my limited understanding of > LDAP that you can not have more than one structural objectclass. I'm no > ldap expert so no email telling me how wrong I am. So I came up with a > a