[Samba] Time to give back, Samba LDAP with FreeRadius
Adi Nugraha
adi at westindo.co.id
Tue Apr 12 03:44:21 GMT 2005
Hi
I'd like toask about the conf fiel you posted here is there aby mistake in
it because I tried to use it but it failed with the following message
Tue Apr 12 10:11:59 2005 : Info: Starting - reading configuration files ...
Tue Apr 12 10:11:59 2005 : Error: config: No such entry raddbdir for string
${raddbdir}/ldap.attrmap
Tue Apr 12 10:11:59 2005 : Error: Errors reading radiusd.conf
I'm trying to setup a wireless authentication using the LDAP backend
containing samba user as well can you help me with this
Thanks
----- Original Message -----
From: "Douglas Sterner" <DSterner at arnoldtrans.com>
To: <freeradius-users at lists.freeradius.org>
Cc: <samba at lists.samba.org>; <jht at primastasys.com>
Sent: Thursday, April 07, 2005 7:13 AM
Subject: [Samba] Time to give back, Samba LDAP with FreeRadius
> If this is off topic I apologize in advance. Using Samba 3.0.13 with an
> LDAP back-end and FreeRadius I was trying to add the Radius schema and
> kept getting object class violations. It's my limited understanding of
> LDAP that you can not have more than one structural objectclass. I'm no
> ldap expert so no email telling me how wrong I am. So I came up with a
> another solution. Using the Windows NT user manager in samba you can grant
> dialin permission to a user and authenticate against Radius on the
> back-end. We currently already depend on User Manager for other things so
> this helped to centralize our management of our VPN users. All you have to
> do is select the user / Dialin / Grant Dialin permission to user and
> apply. Using a working Samba LDAP configuration there is nothing in samba
> or LDAP to configure it's automatic. I've included the changes necessary
> in a working radius server to complete it. We have been using this in a
> Suse ES 9 production environment with great success against a Cisco VPN
> concentrator for remote user authentication.
>
> Radius Config files
>
> Clients.conf
> client 127.0.0.1 {
>
> secret = mysecretpassword
> shortname = localhost
> nastype = other # localhost isn't usually a NAS...
> }
> client 192.168.XXX.XXX/24 {
> secret = mysecretpassword
> shortname = internal-network
> nastype = other
> }
>
> Users
> DEFAULT Auth-Type = LDAP
>
> radius.conf
> ldap {
> server = "ldap.mydomain.lcl"
> identity = "cn=Manager,dc=mydomain,dc=lcl"
> password = "myldappassword"
> basedn = "dc=mydomain,dc=lcl"
> #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> filter =
>
"(&(uid=%u)(SambaMungedDial=bQA6ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA
IAAgACAAIABkAAkAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAg
ACAA))"
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with
> normal
> # ldap connections instead of using ldaps (port 689)
> connections
> start_tls = no
>
> #default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> #profile_attribute = "radiusProfileDn"
> #access_attr = "dialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
> # password_header = "{clear}"
> # password_attribute = userPassword
> # groupname_attribute = cn
> # groupmembership_filter =
>
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> # groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # access_attr_used_for_allow = yes
>
> }
>
>
> Douglas Sterner
> Network Analyst
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list