Re: Trouble getting groups working in ldap
using a Cisco 3005 concentrator
I am using Radius / LDAP on Suse 9.0 ES. I am having trouble getting groups
working. I would like to have a group in LDAP called vpn-users and be able
to put the user in that group for Radius authentication.
radius.conf
ldap {
server = "ldap.arnoldtrans.lcl"
identity = "cn=Manager,dc=arnoldtrans,dc=lcl"
password = "Arn0Ld"
basedn = "dc=arnoldtrans,dc=lcl"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS
extended
# operation.
# The StartTLS operation is supposed to be
used with normal
# ldap connections instead of using ldaps
(port 689) connections
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes
to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
access_group = "cn=vpn-users,ou=Groups,dc=arnoldtrans,dc=lcl"
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = "vpn-user"
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
users
DEFAULT Auth-Type
= LDAP
Fall-Through
= 1
Douglas Sterner
Network Analyst
Arnold Transportation Services
451 Freight Street
Camp Hill, PA 17011
Phone (717) 703 - 5212 Ext 5473
LDAP & Radius
Does someone have a good howto on setting up Radius to make use of an LDAP group. I read the ldap docs at freeradius.org and that seemed like overkill I just want to have a group and put the user in the group to give them access? Douglas Sterner
Time to give back, Samba LDAP with FreeRadius
If this is off topic I apologize in
advance. Using Samba 3.0.13 with an LDAP back-end and FreeRadius I was
trying to add the Radius schema and kept getting object class violations.
It's my limited understanding of LDAP that you can not have more than one
structural objectclass. I'm no ldap expert so no email telling me how wrong
I am. So I came up with a another solution. Using the Windows NT user manager
in samba you can grant dialin permission to a user and authenticate against
Radius on the back-end. We currently already depend on User Manager for
other things so this helped to centralize our management of our VPN users.
All you have to do is select the user / Dialin / Grant Dialin permission
to user and apply. Using a working Samba LDAP configuration there
is nothing in samba or LDAP to configure it's automatic. I've included
the changes necessary in a working radius server to complete it. We have
been using this in a Suse ES 9 production environment with great success
against a Cisco VPN concentrator for remote user authentication.
Radius Config files
Clients.conf
client 127.0.0.1 {
secret
=
mysecretpassword
shortname
= localhost
nastype
= other # localhost
isn't usually a NAS...
}
client 192.168.XXX.XXX/24 {
secret
=
mysecretpassword
shortname
= internal-network
nastype
= other
}
Users
DEFAULT Auth-Type
= LDAP
radius.conf
ldap {
server = "ldap.mydomain.lcl"
identity = "cn=Manager,dc=mydomain,dc=lcl"
password = "myldappassword"
basedn = "dc=mydomain,dc=lcl"
#filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
filter = "(&(uid=%u)(SambaMungedDial=bQA6ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABkAAkAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA))"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS
extended
# operation.
# The StartTLS operation is supposed to be
used with normal
# ldap connections instead of using ldaps
(port 689) connections
start_tls = no
#default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
#profile_attribute = "radiusProfileDn"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes
to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
Douglas Sterner
Network Analyst
Re: [Samba] Time to give back, Samba LDAP with FreeRadius
First you are clearly off topic for
the samba list this is clearly a radius config issue.
Second in order to use ldap.attrmap
you must have the file ldap.attrmap in /etc/raddb for Suse Linux
This information is available in the
radius ldap documentation.
example
#
# Mapping of RADIUS dictionary attributes
to LDAP directory attributes
# to be used by LDAP authentication
and authorization module (rlm_ldap)
#
# Format:
# ItemType
RADIUS-Attribute-Name
ldapAttributeName
#
# Where:
# ItemType
= checkItem or replyItem
# RADIUS-Attribute-Name = attribute
name in RADIUS dictionary
# ldapAttributeName
= attribute name in LDAP schema
#
# If $GENERIC$ is specified as RADIUS-Attribute-Name,
the line specifies
# a LDAP attribute which can be used
to store any RADIUS
# attribute/value-pair in LDAP directory.
#
# You should edit this file to suit
it to your needs.
#
checkItem $GENERIC$
radiusCheckItem
replyItem $GENERIC$
radiusReplyItem
checkItem Auth-Type
radiusAuthType
checkItem Simultaneous-Use
radiusSimultaneousUse
checkItem Called-Station-Id
radiusCalledStationId
checkItem Calling-Station-Id
radiusCallingStationId
checkItem LM-Password
lmPassword
checkItem NT-Password
ntPassword
checkItem SMB-Account-CTRL-TEXT
acctFlags
checkItem Expiration
radiusExpiration
replyItem Service-Type
radiusServiceType
replyItem Framed-Protocol
radiusFramedProtocol
replyItem Framed-IP-Address
radiusFramedIPAddress
replyItem Framed-IP-Netmask
radiusFramedIPNetmask
replyItem Framed-Route
radiusFramedRoute
replyItem Framed-Routing
radiusFramedRouting
replyItem Filter-Id
radiusFilterId
replyItem Framed-MTU
radiusFramedMTU
replyItem Framed-Compression
radiusFramedCompression
replyItem Login-IP-Host
radiusLoginIPHost
replyItem Login-Service
radiusLoginService
replyItem Login-TCP-Port
radiusLoginTCPPort
replyItem Callback-Number
radiusCallbackNumber
replyItem Callback-Id
radiusCallbackId
replyItem Framed-IPX-Network
radiusFramedIPXNetwork
replyItem Class
radiusClass
replyItem Session-Timeout
radiusSessionTimeout
replyItem Idle-Timeout
radiusIdleTimeout
replyItem Termination-Action
radiusTerminationAction
replyItem Login-LAT-Service
radiusLoginLATService
replyItem Login-LAT-Node
radiusLoginLATNode
replyItem Login-LAT-Group
radiusLoginLATGroup
replyItem Framed-AppleTalk-Link
radiusFramedAppleTalkLink
replyItem Framed-AppleTalk-Network
radiusFramedAppleTalkNetwork
replyItem Framed-AppleTalk-Zone
radiusFramedAppleTalkZone
replyItem Port-Limit
radiusPortLimit
replyItem Login-LAT-Port
radiusLoginLATPort
Douglas Sterner
Network Analyst
"Adi Nugraha" <[EMAIL PROTECTED]>
04/11/2005 11:44 PM
To:
,
"Douglas Sterner" <[EMAIL PROTECTED]>
cc:
, <[EMAIL PROTECTED]>
Fax
to:
Subject:
Re: [Samba] Time to give back, Samba
LDAP with FreeRadius
Hi
I'd like toask about the conf fiel you posted here is there aby mistake
in
it because I tried to use it but it failed with the following message
Tue Apr 12 10:11:59 2005 : Info: Starting - reading configuration files
...
Tue Apr 12 10:11:59 2005 : Error: config: No such entry raddbdir for string
${raddbdir}/ldap.attrmap
Tue Apr 12 10:11:59 2005 : Error: Errors reading radiusd.conf
I'm trying to setup a wireless authentication using the LDAP backend
containing samba user as well can you help me with this
Thanks
----- Original Message -
From: "Douglas Sterner" <[EMAIL PROTECTED]>
To:
Cc: ; <[EMAIL PROTECTED]>
Sent: Thursday, April 07, 2005 7:13 AM
Subject: [Samba] Time to give back, Samba LDAP with FreeRadius
> If this is off topic I apologize in advance. Using Samba 3.0.13 with
an
> LDAP back-end and FreeRadius I was trying to add the Radius schema
and
> kept getting object class violations. It's my limited understanding
of
> LDAP that you can not have more than one structural objectclass. I'm
no
> ldap expert so no email telling me how wrong I am. So I came up with
a
> a
