On ti, 12 maalis 2019, Boudjoudad Abdelkader wrote:
Hi Alexander,
Thank you for yourquick reply and sorry i very new with freeradius.
I did:
- Changing in /etc/raddb/sites-enabled/default and
/etc/raddb/sites-enabled/inner-tunnel
-ldap
to:
ldap
if ((ok || updated) && User-Password) {
update {
control:Auth-Type := ldap
}
}
- /etc/raddb/mods-enabled/ldap
ldap {
server = 'ldapserver.example.com'
# port = 389
# password = mypass
base_dn = 'cn=users,cn=accounts,dc=example,dc=com'
}
So, above you aren't using any credentials to authenticate to LDAP
server. You need to define *some* credentials here that radius server
would use to bind to LDAP before checking what it needs.
For basic explanation see
https://www.redhat.com/archives/freeipa-users/2015-December/msg00170.html
For some example, one can look at
https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987
which describes roughly how to make RADIUS authenticating to LDAP with SASL GSSAPI
instead of a simple bind. It may be missing something, I just updated
Christian's version which is several years old.
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
# scope = 'sub'
# sort_by = '-uid'
# access_attribute = 'dialupAccess'
# access_positive = yes
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=posixGroup)'
scope = 'sub'
name_attribute = cn
membership_filter =
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
membership_attribute = memberOf
cacheable_name = 'yes'
cacheable_dn = 'yes'
# cache_attribute = 'LDAP-Cached-Membership'
}
To test user i did:
# radtest ttest2 password
ldapserver.example.com 1812 secretkey
Thanks,
On Tue, Mar 12, 2019 at 2:06 PM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On ti, 12 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
> >Hi,
> >I'm trying to check if user is in a given group name in LDAP but it
> doesn't
> >work, here is the configuration:
> >- vi /etc/raddb/mods-enabled/ldap
>
> How do you connect to the LDAP server? You need to use authenticated
> bind to see member attributes.
>
> >ldap {
> >...
> >base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com'
> >...
> >}
> >group {
> >base_dn = "${..base_dn}"
> >filter = '(objectClass=posixGroup)'
> >scope = 'sub'
> >name_attribute = cn
> >membership_filter =
>
>
>"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> >membership_attribute = memberOf
> > cacheable_name = 'yes'
> > cacheable_dn = 'yes'
> ># cache_attribute = 'LDAP-Cached-Membership'
> >
> >The result:
> >rlm_ldap (ldap): Reserved connection (2)
> >(0) Using user DN from request
> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com"
> >(0) Checking for user in group objects
> >(0) EXPAND
>
>
>(&(cn=ipausers)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> >(0) -->
>
>
>(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3com)(memberUid=ttest2)))
> >(0) Performing search in
> >"cn=users,cn=accounts,dc=server,dc=example,dc=com" with filter
>
>
>"(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))",
> >scope "sub"
> >(0) Waiting for search result...
> >(0) Search returned no results
> >(0) Checking user object's memberOf attributes
> >(0) Performing unfiltered search in
> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com", scope
> "base"
> >(0) Waiting for search result...
> >(0) No group membership attribute(s) found in user object
> >
> >What i'm missing ?
> >Thanks,
>
> >_______________________________________________
> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> >Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> >List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland