'Re: LDAP group authentication'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: LDAP group authentication
From:       Andrew Meyer via Freeradius-Users <freeradius-users () lists ! freeradius ! org>
Date:       2017-06-28 13:30:33
Message-ID: 936966805.442444.1498656633622 () mail ! yahoo ! com
[Download RAW message or body]

For the RadiusControl attributes, are you adding that into your \
/etc/raddb/mods-available/ldap file?  I'm not seeing that.  Btw, I have this setup \
using the instructions from the FreeIPA folks.  However I am also trying to get group \
authentication and not getting it to work. [Bash] [andrew.meyer@asm-rancid01 ~]$ sudo \
cat /etc/raddb/users |grep -v "^#" bob - Pastebin.com

  
> 
> 
> 
> > > 

   |

  |
> 
> > 
[Bash] [andrew.meyer@asm-rancid01 ~]$ sudo cat /etc/raddb/users |grep -v &q...
   |   |

  |

  |

 
 

    On Wednesday, June 28, 2017 5:24 AM, Bogdan Rudas via Freeradius-Users \
<freeradius-users@lists.freeradius.org> wrote:  

 Hi,

Something like this:

ldap {
        server = 'ldap.int'

        identity = 'cn=raidus-ro,ou=users,dc=company,dc=int'
        password = '12345'
        base_dn = 'ou=users,dc=company,dc=int'
        ldapgroup = 'cn=WiFi,ou=group,dc=company,dc=int'
        sasl {
        }

        update {
                control:Password-With-Header    += 'userPassword'
                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }


        user {
                base_dn = "${..base_dn}"

                filter =
"(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))"

                sasl {
                }
        }

...... cut here...

On Tue, Jun 27, 2017 at 6:53 PM, Jake L. <jake_homs@yahoo.com> wrote:

> Hi Bogdan,
> Thank you for the information. This looks like a good method for us as
> well. Are you setting up the 'ldapgroup' inside the group section of the
> ldap module? If so, can you show me the stanza you're using? Thank you!
> 
> 
> On Tuesday, June 27, 2017 1:20 AM, Bogdan Rudas via Freeradius-Users <
> freeradius-users@lists.freeradius.org> wrote:
> 
> 
> Hi Jake,
> 
> We are useing *memberOf* in filter of "user {  }" section in
> */etc/freeradius/mods-available/ldap*
> 
> user {
> base_dn = "${..base_dn}"
> 
> filter =
> "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(
> memberOf=${..ldapgroup})))"
> 
> sasl {
> }
> }
> 
> I suspect FreeIPA have similar attribute for reverse group membership
> lookups.
> 
> On Tue, Jun 27, 2017 at 1:36 AM, Jake L. via Freeradius-Users <
> freeradius-users@lists.freeradius.org> wrote:
> 
> > Hello - I successfully got our Freeradius server to authenticate against
> > our FreeIPA LDAP environment, allowing user access. Currently, all users
> in
> > here will be granted successful access. However, I'm having trouble
> trying
> > to identify what to setup to get only a single group in our FreeIPA
> > environment allowed to authenticate while all other groups are denied.
> In a
> > nutshell, I want to only allow the "network-team" group authenticated
> > access via the Freeradius server, and any/all other groups to be denied.
> In
> > my wiki and google searches, I've found reference to
> "group_authorization",
> > but I can't find that module in the policy.d or mods-available folder.
> > Also, I've seen the reference to huntgroups, but only when queried
> against
> > SQL, which shouldn't be needed in my case. Can anyone point me in the
> right
> > direction to get this working?
> > TL;DR = Need info on setting up Freeradius authentication to LDAP only
> for
> > a specific group, denying all other groups.
> > Thank you!Jake
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> 
> 
> 
> 
> --
> Bogdan Rudas
> Director of IT offshore
> Exadel Inc.
> http://www.exadel.com/
> E-mail: brudas@exadel.com
> Skype ID: bogdan.rudas
> 
> --
> 
> 
> CONFIDENTIALITY NOTICE: This email and files attached to it are
> confidential. If you are not the intended recipient you are hereby
> notified
> that using, copying, distributing or taking any action in reliance on the
> contents of this information is strictly prohibited. If you have received
> this email in error please notify the sender and delete this email.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
> 
> 
> 


-- 
Bogdan Rudas
Director of IT offshore
Exadel Inc.
http://www.exadel.com/
E-mail: brudas@exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

   
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic