Freeradius3.x with Openldap Authorization

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Freeradius3.x with Openldap Authorization

srijan
Hello, greetings..
I got some queries related to openldap authentication and authorization,
followed ldap_howto.rst. Able to Authenticate via ldap  but for
authorization not working according to userwise's profiles.. how can i
obtain user's profile. if i put default profile then it works and reply
same to all users,  Here's my ldap config:

ldap {
        server = 'localhost'
        identity = 'cn=adm,dc=xyx,dc=com.'

        base_dn = 'ou=radius,dc=xyz,dc=com'
        update {
                control:Password-With-Header    += 'userPassword'
                control:Expiration              := 'radiusExpiration'
                control:Calling-Station-Id      := 'radiusCallingStationId'
                control:NAS-Identifier          := 'radiusNASIdentifier'
                control:Simultaneous-Use        := 'radiusSimultaneousUse'
                reply:Reply-Message             := 'radiusReplyMessage'
                control:NT-Password             := 'ntPassword'
                reply:Idle-Timeout              := 'radiusIdleTimeout'
                reply:Session-Timeout           := 'radiusSessionTimeout'

                control:                        += 'radiusControlAttribute'
                request:                        += 'radiusRequestAttribute'
                reply:                          += 'radiusReplyAttribute'
        }
        user {
                base_dn = "${..base_dn}"

                filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
                base_filter = "(objectclass=radiusprofile)"

                sasl {
                }
        }

       profile {
                filter = '(objectclass=radiusprofile)'
                default = 'uid=planx,ou=profiles,ou=radius,dc=xyz,dc=com'
                attribute = 'radiusProfileDn'
        }

Result with Default profile config:

Sent Access-Request Id 188 from 0.0.0.0:60201 to 127.0.0.1:1812 length 77
        User-Name = "user1"
        User-Password = "user123"
        NAS-IP-Address = 10.21.8.10
        NAS-Port = 1812
        Message-Authenticator = 0x00
        Cleartext-Password = "user123"
Received Access-Accept Id 188 from 127.0.0.1:1812 to 127.0.0.1:60201 length
104
        Idle-Timeout = 600
        Session-Timeout = 86400
        Acct-Interim-Interval = 10800
        ERX-Egress-Policy-Name = "20MD"
        ERX-Ingress-Policy-Name = "20MU"
        MS-Primary-DNS-Server = 1.1.1.1
        MS-Secondary-DNS-Server = 9.9.9.9
        Framed-Pool = "staff-pool"


Openldap:

# planx, profiles, radius, xyz.com
dn: uid=planx,ou=profiles,ou=radius,dc=xyz,dc=com
cn: planx
radiusIdleTimeout: 600
radiusSessionTimeout: 86400
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
uid: planx
objectClass: radiusObjectProfile
objectClass: radiusprofile
radiusReplyAttribute: Acct-Interim-Interval := 10800
radiusReplyAttribute: ERX-Egress-Policy-Name := 10MD
radiusReplyAttribute: ERX-Ingress-Policy-Name := 20MU
radiusReplyAttribute: MS-Primary-DNS-Server := 1.1.1.1
radiusReplyAttribute: MS-Secondary-DNS-Server := 9.9.9.9
radiusReplyAttribute: Framed-Pool := staff-pool


# plany, profiles, radius, xyz.com
dn: uid=plany,ou=profiles,ou=radius,dc=xyz,dc=com
cn: plany
objectClass: radiusObjectProfile
objectClass: radiusprofile
objectClass: top
radiusFramedProtocol: PPP
radiusIdleTimeout: 600
radiusServiceType: Framed-User
radiusSessionTimeout: 86400
uid: plany
radiusReplyAttribute: Acct-Interim-Interval := 10800
radiusReplyAttribute: ERX-Egress-Policy-Name := 10MD
radiusReplyAttribute: ERX-Ingress-Policy-Name := 10MU
radiusReplyAttribute: MS-Primary-DNS-Server := 1.1.1.1
radiusReplyAttribute: MS-Secondary-DNS-Server := 9.9.9.9
radiusReplyAttribute: Framed-Pool := default-pool


# users, radius, xyz.com
dn: ou=users,ou=radius,dc=xyz,dc=com
objectClass: organizationalUnit
objectClass: top
ou: users

dn: uid=user1,ou=users,ou=radius,dc=xyz,dc=com
radiusGroupName: planx
uid: user1
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: radiusprofile


*is " radiusGroupName:" obsolete in Freeradius3 ?*

dn: uid=user2,ou=users,ou=radius,dc=xyz,dc=com
radiusGroupName: plany
uid: user2
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: radiusprofile
-----

How can I obtain a user's profile, please suggest..

Regards,
Srijan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Freeradius3.x with Openldap Authorization

Alan DeKok-2
On Feb 23, 2021, at 2:34 AM, Srijan <[hidden email]> wrote:
>
> I got some queries related to openldap authentication and authorization,
> followed ldap_howto.rst. Able to Authenticate via ldap  but for
> authorization not working according to userwise's profiles.. how can i
> obtain user's profile. if i put default profile then it works and reply
> same to all users,  Here's my ldap config:

   We don't need to see that.

   Read http://wiki.freeradius.org/list-help

> Result with Default profile config:
>
> Sent Access-Request Id 188 from 0.0.0.0:60201 to 127.0.0.1:1812 length 77

  That doesn't help.

> Openldap:
>
> # planx, profiles, radius, xyz.com

  That doesn't help.

> How can I obtain a user's profile, please suggest..

  Read the debug output.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html