This is the answer. Also, this is much easier than what I was trying to
do. Thank you for the pointer, Alan.
-Scott
On 3/26/12 5:17 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
hi,
a quick glance at your question and i'd say you be better off using
simple entries in the users file - simple
I'd be surprised if using Ldap-Group in the user's file
resulted in load balancing of the group membership
queries to the LDAP servers. Does it?
It does, actually. Or at least it appears to. The first time it used ldap2
and the second time it used ldap1.
-
List info/subscribe/unsubscribe? See
Brian Julin wrote:
I'd be surprised if using Ldap-Group in the user's file
resulted in load balancing of the group membership
queries to the LDAP servers. Does it?
It doesn't.
Alan DeKok.
So, now I'm confused again. If this doesn¹t load balance, then how should
I really be going about
I cannot answer your question about if statements, but this
much is clear: the Ldap-Group check attribute will query
the ldap module that was instantiated last. If you want
to query a specific module, you have to use modulename-Ldap-Group.
Similarly for ldap xlats, you have to use the module
So, is the documentation at
http://wiki.freeradius.org/Load-balancing#Interaction+with+%22if%22+and+%22
else%22 incorrect, or is it only correct for the very latest version?
-Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.10 on Linux
I want to load balance my LDAP servers, but I also want to do some
checking for group membership. Reading the documentation at
http://wiki.freeradius.org/Load-balancing#Interaction+with+%22if%22+and+%22
else%22 makes me think I can use if and elsif statements in a load
Okay, I've finally got the server certificate sorted out, signed by
GeoTrust and installed, but now I have another certificate problem. I
believe this one is that the client doesn't recognize my ca.pem as being
signed by a trusted authority. Do I need to get another root cert signed
by GeoTrust?
Is this the INTERMEDIATE CA that GeoTrust sent along with the server
cert?
On 3/15/12 8:25 AM, Scott McLane Gardner sgar...@uark.edu wrote:
Okay, I've finally got the server certificate sorted out, signed by
GeoTrust and installed, but now I have another certificate problem. I
believe this one
Okay, it is the INTERMEDIATE CA. Sorry for the noise.
On 3/15/12 8:26 AM, Scott McLane Gardner sgar...@uark.edu wrote:
Is this the INTERMEDIATE CA that GeoTrust sent along with the server
cert?
On 3/15/12 8:25 AM, Scott McLane Gardner sgar...@uark.edu wrote:
Okay, I've finally got the server
In the beginning of the cert documentation, it says:
The Microsoft XP Extensions will be automatically included in the
server certificate. Without those extensions Windows clients will
refuse to authenticate to FreeRADIUS.
But I use a certificate authority, so later on in the documentation,
Excellent, thank you.
The default configuration does this. You shouldn't need to do anything.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Okay, I followed the instructions in the certs README, created the CSR and
got a certificate from GeoTrust. When I install it and try to start the
server, I get the following error messages:
rlm_eap: SSL error error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad decrypt
rlm_eap_tls:
Just to get the server running, I tried moving all the things out of that
directory, then doing the ./bootstrap thing and it still gives that error
when trying to start the server.
-Scott
On 3/14/12 3:44 PM, Scott McLane Gardner sgar...@uark.edu wrote:
Okay, I followed the instructions
On 3/14/12 4:05 PM, Alan DeKok al...@deployingradius.com wrote:
Scott McLane Gardner wrote:
Okay, I followed the instructions in the certs README, created the CSR
and
got a certificate from GeoTrust. When I install it and try to start the
server, I get the following error messages
FreeRADIUS doesn't read OpenSSL configuration files.
Alan DeKok.
Gosh, I feel like a dummy. Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Try looking at the groupmembership_filter option - work out a
search that works on the command line (with a filter), and then
fit that filter into the ldap config.
It should probably something like (untested)
groupname_attribute = cn
groupmembership_filter =
I have the following in my sites-available/default:
authorize {
...
# Allow only NET Staff members to log into BAND and HAPF
if (Ldap-Group == NET Staff (NAS-IP-Address == 192.168.6.5
|| NAS-IP-Address == 192.168.6.4)) {
update
And of course I figured it out 2 minutes after writing this message. For
posterity, the syntax was close. It's actually like this:
elsif (NAS-IP-Address == 192.168.6.5 || NAS-IP-Address ==
192.168.6.4) {
reject = 1
}
-
List info/subscribe/unsubscribe? See
On 3/13/12 1:24 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
hi,
i must be tiredi cant see how that is different to your first email!
;-)
alan
No, you're right, I didn't edit it. It's like you said, reject without the
= 1 after it. I must be the one who is tired. Thank you for your
Okay, I am a couple steps closer, but still having trouble. My radius
server is saying my test user is not in the group I'm filtering for,
however I know that it is. My sites-available/default config looks like:
authorize
...
ldap
if (Ldap-Group == PWHC Secure Wireless) {
I've successfully gotten AD auth working, and now I'd like to be able to
assign VLAN's based on group membership, but I'm having a hard time
figuring out where and how to do that. Where do I put the if statements
to check group membership? Does AD auth even work like this, or do I need
to be using
I found this thread which seems to do what I am asking, but I just don't
know where to put this statement.
http://lists.freeradius.org/pipermail/freeradius-users/2012-January/058458.
html Any insight would be appreciated.
-Scott
-
List info/subscribe/unsubscribe? See
You can configure AD as an LDAP server, and then do LDAP group checks.
See the LDAP documentation for examples.
Alan DeKok.
I think the documentation is saying that LDAP can't be used with EAP. Is
that what it's really saying? It's a little unclear since it says The
solution is to use the
I found this thread which seems to do what I am asking, but I just don't
know where to put this statement.
http://lists.freeradius.org/pipermail/freeradius-users/2012-January/058458
.
html Any insight would be appreciated.
Okay, I figured out where to put the if statement (in
I'm having trouble getting unlang to match a string inside a larger
string. I have a script that outputs a string of domain groups, like this:
DOMN\Domain Users 2 DOMN\Wireless Users 2 DOMN\STUsers 2 DOMN\WOCL
Wireless DOMN\WOCL Staff
I have a unlang conditional written like this which I think
I'm having trouble getting unlang to match a string inside a larger
string. I have a script that outputs a string of domain groups, like
this:
the debug output (radiusd -X) should show you all the values
as things happen - and thus show you the comparison and how
ita failing
Alan
Turns out
If anyone cares, I got this working by calling a script that contained the
following:
#!/bin/sh
for T in $(wbinfo --user-domgroups `wbinfo -n $1`) ; do wbinfo -s $T |
perl -ne 'chomp and print'; done
Which outputs a string containing all the groups the username is a member
of. I called
On 3/6/12 3:55 PM, Fajar A. Nugraha l...@fajar.net wrote:
On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner sgar...@uark.edu
wrote:
If anyone cares, I got this working by calling a script that contained
the
following:
That's odd. Did you properly setup the AD as LDAP server in
raddb
On 3/6/12 3:59 PM, Fajar A. Nugraha l...@fajar.net wrote:
On Wed, Mar 7, 2012 at 4:57 AM, Scott McLane Gardner sgar...@uark.edu
wrote:
On 3/6/12 3:55 PM, Fajar A. Nugraha l...@fajar.net wrote:
On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner sgar...@uark.edu
wrote:
If anyone cares, I
I'm attempting to follow the guide at http://deployingradius.com/ Things
were going very well until I tried to set up Active Directory
authentication. Testing with ntlm_auth, I get a success:
$ ntlm_auth --request-nt-key --domain=MYDOMAIN --username=myuname
--password=mypass
NT_STATUS_OK: Success
Mon Mar 5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions
on
/var/run/samba/winbindd_privileged are set correctly. (0xc022)
Did you spot this?
This was definitely it. Thank you so much.
-Scott
-
31 matches
Mail list logo