[CVALE] freeradius help
Patrick Bennett
stnick at bennettbungalow.com
Sun Oct 11 14:44:27 PDT 2009
Thanks for the advice Kristian. BTW, what interface are you using to
administrate ldap?
-Patrick
Kristian Hoffmann wrote:
> Hi Patrick,
>
> On Thu, 8 Oct 2009, Patrick Bennett wrote:
>
>
>> Is there any body out there experienced with freeradius configuration?
>>
>> I have freeradius installed and it is authenticating successfully
>> against the unix passwd/shadow information.
>>
>> I've got two primary questions:
>>
>> 1) Can I (and if so, how) restrict access to only users in unix group
>> X? For example, I want to create a standard unix group called
>> "vpnusers" and allow only members of that group to get a successful
>> freeradius auth. This seems like an obvious capability to me, but
>> google is not turning up any hits that don't have to do with LDAP. If
>> this is not possible to do within freeradius, any ideas on how to check
>> the group membership of users attempting to "dial in" to the VPN?
>>
>
> If you're using the "unix" module (rlm_unix), then I believe it's as
> adding a check attribute like so...
>
> DEFAULT Auth-Type := Local, Group == "dialin"
> ...
>
> It might also be worth checking out the rlm_pam documentation...
>
> http://freeradius.org/radiusd/doc/rlm_pam
>
>
>> 2) On the same system that will be dealing with the radius requests, I
>> have got OpenLDAP configured and clients are able to authenticate
>> against it. For example, Windows XP Pro workstations are able to join
>> the domain and login to their windows workstation using their ldap
>> username and password, ssh users are able to ssh in to the server and
>> login with their ldap username and password, etc.. I assume this is
>> "pam" magic because to set this up took a lot of tweaking of pam config
>> files. I originally set out to have freeradius to auth directly against
>> the ldap database, but there is a comment in the freeradius config files
>> that says using the ldap authentication module "is almost always
>> wrong". At the moment the freeradius server is successfully auth'ing
>> against the "true unix" (ie. passwd/shadow accounts), but not against
>> accounts in the ldap database - do you know offhand if the freeradius
>> accounts will start authing if i enable the *pam* auth module (since the
>> ldap module is "almost always wrong")? Any tips about how to best allow
>> ldap users to freeradius auth?
>>
>
> We're using rlm_ldap with freeradius with OpenLDAP on the backend. I
> pretty much just followed the example config, but with some modifications
> for our directory's organization. I'd say cut out the middle-man and try
> using LDAP directly from freeradius. Here's the doc for rlm_ldap...
>
> http://freeradius.org/radiusd/doc/rlm_ldap
>
> If you run into errors or need help with specifics, feel free to ask.
>
>
> -Kristian
>
>
> _______________________________________________
> cvale mailing list
> cvale at lists.fire2wire.com
> http://lists.fire2wire.com/mailman/listinfo.cgi/cvale
>
More information about the cvale
mailing list