[Samba] Time to give back, Samba LDAP with FreeRadius

Douglas Sterner DSterner at arnoldtrans.com
Thu Apr 7 00:13:58 GMT 2005 

If this is off topic I apologize in advance. Using Samba 3.0.13 with an 
LDAP back-end and FreeRadius I was trying to add the Radius schema and 
kept getting object class violations. It's my limited understanding of 
LDAP that you can not have more than one structural objectclass. I'm no 
ldap expert so no email telling me how wrong I am. So I came up with a 
another solution. Using the Windows NT user manager in samba you can grant 
dialin permission to a user and authenticate against Radius on the 
back-end. We currently already depend on User Manager for other things so 
this helped to centralize our management of our VPN users. All you have to 
do is select the user / Dialin / Grant Dialin permission to user and 
apply.  Using a working Samba LDAP configuration there is nothing in samba 
or LDAP  to configure it's automatic. I've included the changes necessary 
in a working radius server to complete it. We have been using this in a 
Suse ES 9 production environment with great success against a Cisco VPN 
concentrator for remote user authentication.

Radius Config files

Clients.conf
client 127.0.0.1 {
 
        secret          = mysecretpassword
        shortname       = localhost
        nastype       = other   # localhost isn't usually a NAS...
}
client 192.168.XXX.XXX/24 {
        secret          = mysecretpassword
        shortname       = internal-network
        nastype = other
}

Users
DEFAULT Auth-Type = LDAP

radius.conf
ldap {
                server = "ldap.mydomain.lcl"
              identity = "cn=Manager,dc=mydomain,dc=lcl"
               password = "myldappassword"
                basedn = "dc=mydomain,dc=lcl"
                #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                filter = 
"(&(uid=%u)(SambaMungedDial=bQA6ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABkAAkAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA))"
                # set this to 'yes' to use TLS encrypted connections
                # to the LDAP database by using the StartTLS extended
                # operation.
                # The StartTLS operation is supposed to be used with 
normal
                # ldap connections instead of using ldaps (port 689) 
connections
                start_tls = no

                #default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
                #profile_attribute = "radiusProfileDn"
                #access_attr = "dialupAccess"

                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5
                # password_header = "{clear}"
                # password_attribute = userPassword
                # groupname_attribute = cn
                # groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
                # groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # access_attr_used_for_allow = yes

        }


Douglas Sterner 
Network Analyst

More information about the samba mailing list