[RADIATOR] LDAP2 authorizing multiple email domains from mail attribute?
Hugh Irvine
hugh at open.com.au
Mon Apr 26 18:11:15 CDT 2010
Hello Jennifer -
If you add "Debug 255" to your AuthBy LDAP2 clause, then run radiusd from the command line, we will be able to see everything that comes back from the LDAP query.
You should do this in the lab, and once we see what we are dealing with we can decide how best to proceed.
In general, you just need to use a SearchFilter to define a suitable query, rather than AuthAttrDef which operates on the contents of the incoming request.
See section 5.36.15 in the Radiator 4.6 reference manual ("doc/ref.pdf").
5.36.15 SearchFilter
Normally, the search filter that is used to find a matching user name is
(uid=name)
where uid is the name of the LDAP attribute defined by the UsernameAttr parameter, and name is the name of the user currently being authenticated. For advanced applications, you can completely alter the search filter that Radiator will use by using the optional SearchFilter parameter. It allows you to use arbitrarily complicated LDAP search filters to select or exclude users based on attributes other than their user name. Special formatting characters are permitted, and %0 is replaced by UsernameAttr and %1 by the user name. For example, this SearchFilter will only match users with the appropriate setting of their ‘current’ attribute:
SearchFilter (&(current=1)(uid=%1))
In SearchFilter, you an use any special formatting character. For backwards compatibility, perl variables used to be interpolated, but this has been removed. The default setting for SearchFilter is ‘(%0=%1)’, which will match the user name against the LDAP attribute defined by the UsernameAttr parameter (usually ‘uid’). Therefore the default search string is (uid=name).
regards
Hugh
On 27 Apr 2010, at 08:39, Jennifer Mehl wrote:
> Hi there,
>
> I'm using the AUTHBYLDAP2 to do simple authentication to our campus LDAP directory for VPN services. It is working fine so far.
>
> I'd like to further limit access to this VPN service to authenticated users with particular email domains in their mail LDAP attribute. There are to be 4 different "allowed" email domains.
>
> How do I best do this? I believe I need to use AuthAttrDef and look for the mail LDAP attribute, but not sure exactly how to accept the authentication if the correct email domain exists, and deny if the attribute is empty or contains any other domain.
>
> I'm using RADIATOR 4.0 on Linux.
>
>
> Here is the relevant part of radius.cfg:
>
> <Handler>
> # strip realm
> RewriteUsername s/^([^@]+).*/$1/
> # lowercase
> RewriteUsername tr/A-Z/a-z/
> AuthByPolicy ContinueUntilAccept
> AuthBy BY_FILE
> AuthBy BY_UCSB_LDAP
> </Handler>
>
>
> Here is my relevant AUTHBYLDAP2 clause:
>
> #UCSB LDAP Directory
> <AuthBy LDAP2>
> Identifier BY_UCSB_LDAP
> include /etc/radiator/ucsbldap.cfg
> </AuthBy LDAP2>
>
>
> Here is ucsbldap.cfg:
>
>
> Host directory.ucsb.edu
> BaseDN o=ucsb
> UsernameAttr uid
> PasswordAttr userPassword
> ServerChecksPassword
> FailureBackoffTime 10
>
>
> # You can enable debugging of the Net::LDAP
> # module with this:
> Debug 255
>
> UseSSLSSLCAFile /usr/share/ssl/cert.pem
> SSLVerify require
>
>
>
> Thanks for any assistance!
>
> --Jennifer
>
>
> ==================================
> Jennifer L. Mehl
> Senior Systems Administrator
> University of California, Santa Barbara
> Physics Computing Services
> mailto:jmehl at physics.ucsb.edu
> (805) 893-8366, ext 2 (work)
> ...also rings when working from home
> Skype:ucsb.physics.mehl_j
> (805) 451-7486 (cell)
> ==================================
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list