[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Different behaviour with LDAP
From: Þórður Ívarsson <toti () skrin ! is>
Date: 2005-08-31 12:28:57
Message-ID: 1AC6F46DDAC27649BD7C9EC2DE49112F0207411A () falki ! kerfisleiga ! skrin ! is
[Download RAW message or body]
I am authorizing wireless network cards in "users file" with radius server (old \
cistron radius) and that is working fine
entry like:
121212-232323 Auth-Type = Accept
Only network card matching abov entry get access
Now I am building new radius server with FreeRadius and users information and \
passwords are kept in Open-LDAP
I have following entry in my "users file"
DEFAULT Huntgroup-Name == "wireless", Service-Type == Framed-User, \
Autz-Type:=zldap-macaddr, Auth-Type := Accept Fall-Through = No
and this is in "radiusd.conf"
ldap ldap-macaddr {
server = "localhost"
identity = "cn=manager,dc=skrin,dc=local"
password = kept_secret
basedn = "ou=users,ou=internet,dc=skrin,dc=local"
filter = \
"(&(macAddress=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=wireless))" \
base_filter = "(objectclass=radiusprofile)"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
#
# password_attribute = userPassword
#
# groupname_attribute = cn
# groupmembership_filter = \
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
}
I have also different sections for different huntgroups of the LDAP entry in \
radiusd.conf for other services and they work fine.
The behaviour of the radius server is like that - authorize the client/user (match \
against huntgroup and ldap attribute search) then authenticate the user (trying to \
log into ldap server with user/password), but I have Auth-Type= accept, that I \
understand is allowing everyone that matces the authorize section. This breaks, it \
allows everyone that matches huntgroup but fails authorize. Is this normal or not?
Þórður Ívarsson
Skrín ehf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic