Hi Alexander and thank you for the documents,
Right i din't configure freeradius to use kerberos authentication but
question please: with the radtest command above the authentication is
performed and if i see Accept-Accept so it does mean the password provided
in the command matches the password in ldap ?
Perhaps it matches the password but
your problem (as I understood) was
that you weren't able to pull the group membership out of LDAP. These
are two different steps -- RADIUS server ldap plugin uses user's
password for authentication but it should also use own credentials to
bind to ldap for authorization step.
On Tue, Mar 12, 2019 at 2:59 PM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On ti, 12 maalis 2019, Boudjoudad Abdelkader wrote:
> >Hi Alexander,
> >Thank you for yourquick reply and sorry i very new with freeradius.
> >I did:
> >- Changing in /etc/raddb/sites-enabled/default and
> >/etc/raddb/sites-enabled/inner-tunnel
> > -ldap
> >to:
> > ldap
> > if ((ok || updated) && User-Password) {
> > update {
> > control:Auth-Type := ldap
> > }
> > }
> >
> >- /etc/raddb/mods-enabled/ldap
> >ldap {
> > server = 'ldapserver.example.com'
> > # port = 389
> > # password = mypass
> > base_dn = 'cn=users,cn=accounts,dc=example,dc=com'
> >}
> So, above you aren't using any credentials to authenticate to LDAP
> server. You need to define *some* credentials here that radius server
> would use to bind to LDAP before checking what it needs.
>
> For basic explanation see
>
https://www.redhat.com/archives/freeipa-users/2015-December/msg00170.html
>
> For some example, one can look at
>
https://gist.github.com/abbra/a74e171d791cf90113b0272b78919987
> which describes roughly how to make RADIUS authenticating to LDAP with
> SASL GSSAPI
> instead of a simple bind. It may be missing something, I just updated
> Christian's version which is several years old.
>
> >
> >user {
> > base_dn = "${..base_dn}"
> > filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> > # scope = 'sub'
> > # sort_by = '-uid'
> > # access_attribute = 'dialupAccess'
> > # access_positive = yes
> >}
> >group {
> > base_dn = "${..base_dn}"
> > filter = '(objectClass=posixGroup)'
> > scope = 'sub'
> > name_attribute = cn
> > membership_filter =
>
>
>"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> >
> > membership_attribute = memberOf
> > cacheable_name = 'yes'
> > cacheable_dn = 'yes'
> > # cache_attribute = 'LDAP-Cached-Membership'
> >}
> >
> >To test user i did:
> ># radtest ttest2 password
ldapserver.example.com 1812 secretkey
> >
> >Thanks,
> >
> >
> >
> >
> >
> >On Tue, Mar 12, 2019 at 2:06 PM Alexander Bokovoy <abokovoy(a)redhat.com>
> >wrote:
> >
> >> On ti, 12 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
> >> >Hi,
> >> >I'm trying to check if user is in a given group name in LDAP but it
> >> doesn't
> >> >work, here is the configuration:
> >> >- vi /etc/raddb/mods-enabled/ldap
> >>
> >> How do you connect to the LDAP server? You need to use authenticated
> >> bind to see member attributes.
> >>
> >> >ldap {
> >> >...
> >> >base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com'
> >> >...
> >> >}
> >> >group {
> >> >base_dn = "${..base_dn}"
> >> >filter = '(objectClass=posixGroup)'
> >> >scope = 'sub'
> >> >name_attribute = cn
> >> >membership_filter =
> >>
> >>
>
>"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> >> >membership_attribute = memberOf
> >> > cacheable_name = 'yes'
> >> > cacheable_dn = 'yes'
> >> ># cache_attribute = 'LDAP-Cached-Membership'
> >> >
> >> >The result:
> >> >rlm_ldap (ldap): Reserved connection (2)
> >> >(0) Using user DN from request
> >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com"
> >> >(0) Checking for user in group objects
> >> >(0) EXPAND
> >>
> >>
>
>(&(cn=ipausers)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
> >> >(0) -->
> >>
> >>
>
>(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3com)(memberUid=ttest2)))
> >> >(0) Performing search in
> >> >"cn=users,cn=accounts,dc=server,dc=example,dc=com" with
filter
> >>
> >>
>
>"(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))",
> >> >scope "sub"
> >> >(0) Waiting for search result...
> >> >(0) Search returned no results
> >> >(0) Checking user object's memberOf attributes
> >> >(0) Performing unfiltered search in
> >> >"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com",
scope
> >> "base"
> >> >(0) Waiting for search result...
> >> >(0) No group membership attribute(s) found in user object
> >> >
> >> >What i'm missing ?
> >> >Thanks,
> >>
> >> >_______________________________________________
> >> >FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >> >To unsubscribe send an email to
> >> freeipa-users-leave(a)lists.fedorahosted.org
> >> >Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> >> >List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> >List Archives:
> >>
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >>
> >>
> >> --
> >> / Alexander Bokovoy
> >> Sr. Principal Software Engineer
> >> Security / Identity Management Engineering
> >> Red Hat Limited, Finland
> >>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland