[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Different behaviour with LDAP
From:       Þórður Ívarsson <toti () skrin ! is>
Date:       2005-08-31 12:28:57
Message-ID: 1AC6F46DDAC27649BD7C9EC2DE49112F0207411A () falki ! kerfisleiga ! skrin ! is
[Download RAW message or body]

I am authorizing wireless network cards in "users file" with radius server (old \
cistron radius) and that is working fine

entry like:
121212-232323 Auth-Type = Accept

Only network card matching abov entry get access

Now I am building new radius server with FreeRadius and users information and \
passwords are kept in Open-LDAP

I have following entry in my "users file"

DEFAULT Huntgroup-Name == "wireless", Service-Type == Framed-User, \
Autz-Type:=zldap-macaddr, Auth-Type := Accept  Fall-Through = No


and this is in "radiusd.conf"
        ldap ldap-macaddr {
                server = "localhost"
                identity = "cn=manager,dc=skrin,dc=local"
                password = kept_secret
                basedn = "ou=users,ou=internet,dc=skrin,dc=local"
                filter = \
"(&(macAddress=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=wireless))"  \
base_filter = "(objectclass=radiusprofile)"

                start_tls = no

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                #
                # password_attribute = userPassword
                #
                # groupname_attribute = cn
                # groupmembership_filter = \
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
  # groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # do_xlat = yes
        }


I have also different sections for different huntgroups of the LDAP entry in \
radiusd.conf for other services and they work fine.

The behaviour of the radius server is like that - authorize the client/user (match \
against huntgroup and ldap attribute search) then authenticate the user (trying to \
log into ldap server with user/password), but I have Auth-Type= accept, that I \
understand is allowing everyone that matces the authorize section. This breaks, it \
allows everyone that matches huntgroup but fails authorize. Is this normal or not?

Þórður Ívarsson
Skrín ehf


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]