samba - Apr 2005 - Time to give back, Samba LDAP with FreeRadius

If this is off topic I apologize in advance. Using Samba 3.0.13 with an 
LDAP back-end and FreeRadius I was trying to add the Radius schema and 
kept getting object class violations. It's my limited understanding of 
LDAP that you can not have more than one structural objectclass. I'm no 
ldap expert so no email telling me how wrong I am. So I came up with a 
another solution. Using the Windows NT user manager in samba you can grant 
dialin permission to a user and authenticate against Radius on the 
back-end. We currently already depend on User Manager for other things so 
this helped to centralize our management of our VPN users. All you have to 
do is select the user / Dialin / Grant Dialin permission to user and 
apply.  Using a working Samba LDAP configuration there is nothing in samba 
or LDAP  to configure it's automatic. I've included the changes
necessary
in a working radius server to complete it. We have been using this in a 
Suse ES 9 production environment with great success against a Cisco VPN 
concentrator for remote user authentication.

Radius Config files

Clients.conf
client 127.0.0.1 {
 
        secret          = mysecretpassword
        shortname       = localhost
        nastype       = other   # localhost isn't usually a NAS...
}
client 192.168.XXX.XXX/24 {
        secret          = mysecretpassword
        shortname       = internal-network
        nastype = other
}

Users
DEFAULT Auth-Type = LDAP

radius.conf
ldap {
                server = "ldap.mydomain.lcl"
              identity = "cn=Manager,dc=mydomain,dc=lcl"
               password = "myldappassword"
                basedn = "dc=mydomain,dc=lcl"
                #filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                filter = 
"(&(uid=%u)(SambaMungedDial=bQA6ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABkAAkAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA))"
                # set this to 'yes' to use TLS encrypted connections
                # to the LDAP database by using the StartTLS extended
                # operation.
                # The StartTLS operation is supposed to be used with 
normal
                # ldap connections instead of using ldaps (port 689) 
connections
                start_tls = no

                #default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
                #profile_attribute = "radiusProfileDn"
                #access_attr = "dialupAccess"

                # Mapping of RADIUS dictionary attributes to LDAP
                # directory attributes.
                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5
                # password_header = "{clear}"
                # password_attribute = userPassword
                # groupname_attribute = cn
                # groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
                # groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                # compare_check_items = yes
                # access_attr_used_for_allow = yes

        }


Douglas Sterner 
Network Analyst

Hi

I'd like toask about the conf fiel you posted here is there aby mistake in
it because I tried to use it but it failed with the following message

Tue Apr 12 10:11:59 2005 : Info: Starting - reading configuration files ...
Tue Apr 12 10:11:59 2005 : Error: config: No such entry raddbdir for string
${raddbdir}/ldap.attrmap
Tue Apr 12 10:11:59 2005 : Error: Errors reading radiusd.conf

I'm trying to setup a wireless authentication using the LDAP backend
containing samba user as well can you help me with this

Thanks


----- Original Message -----
From: "Douglas Sterner" <DSterner@arnoldtrans.com>
To: <freeradius-users@lists.freeradius.org>
Cc: <samba@lists.samba.org>; <jht@primastasys.com>
Sent: Thursday, April 07, 2005 7:13 AM
Subject: [Samba] Time to give back, Samba LDAP with FreeRadius

> If this is off topic I apologize in advance. Using Samba 3.0.13 with an
> LDAP back-end and FreeRadius I was trying to add the Radius schema and
> kept getting object class violations. It's my limited understanding of
> LDAP that you can not have more than one structural objectclass. I'm no
> ldap expert so no email telling me how wrong I am. So I came up with a
> another solution. Using the Windows NT user manager in samba you can grant
> dialin permission to a user and authenticate against Radius on the
> back-end. We currently already depend on User Manager for other things so
> this helped to centralize our management of our VPN users. All you have to
> do is select the user / Dialin / Grant Dialin permission to user and
> apply.  Using a working Samba LDAP configuration there is nothing in samba
> or LDAP  to configure it's automatic. I've included the changes
necessary
> in a working radius server to complete it. We have been using this in a
> Suse ES 9 production environment with great success against a Cisco VPN
> concentrator for remote user authentication.
>
> Radius Config files
>
> Clients.conf
> client 127.0.0.1 {
>
>         secret          = mysecretpassword
>         shortname       = localhost
>         nastype       = other   # localhost isn't usually a NAS...
> }
> client 192.168.XXX.XXX/24 {
>         secret          = mysecretpassword
>         shortname       = internal-network
>         nastype = other
> }
>
> Users
> DEFAULT Auth-Type = LDAP
>
> radius.conf
> ldap {
>                 server = "ldap.mydomain.lcl"
>               identity = "cn=Manager,dc=mydomain,dc=lcl"
>                password = "myldappassword"
>                 basedn = "dc=mydomain,dc=lcl"
>                 #filter =
"(uid=%{Stripped-User-Name:-%{User-Name}})"
>                 filter >
"(&(uid=%u)(SambaMungedDial=bQA6ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAA
IAAgACAAIABkAAkAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAg
ACAA))"
>                 # set this to 'yes' to use TLS encrypted
connections
>                 # to the LDAP database by using the StartTLS extended
>                 # operation.
>                 # The StartTLS operation is supposed to be used with
> normal
>                 # ldap connections instead of using ldaps (port 689)
> connections
>                 start_tls = no
>
>                 #default_profile = "cn=radprofile,ou=dialup,o=My
Org,c=UA"
>                 #profile_attribute = "radiusProfileDn"
>                 #access_attr = "dialupAccess"
>
>                 # Mapping of RADIUS dictionary attributes to LDAP
>                 # directory attributes.
>                 dictionary_mapping = ${raddbdir}/ldap.attrmap
>
>                 ldap_connections_number = 5
>                 # password_header = "{clear}"
>                 # password_attribute = userPassword
>                 # groupname_attribute = cn
>                 # groupmembership_filter >
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>                 # groupmembership_attribute = radiusGroupName
>                 timeout = 4
>                 timelimit = 3
>                 net_timeout = 1
>                 # compare_check_items = yes
>                 # access_attr_used_for_allow = yes
>
>         }
>
>
> Douglas Sterner
> Network Analyst
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>