Nasser Heidari

2012-08-05

Freeradius – Problem with rlm_perl

Filed under: Linux — Nasser Heidari @ 13:46
Tags:

There is a problem in debian/ubuntu that when you use rlm_perl module, freeradius will fail to start.

——
root@debian:/etc/freeradius# /etc/init.d/freeradius restart
Stopping FreeRADIUS daemon: freeradius/var/run/freeradius/freeradius.pid not found….
Starting FreeRADIUS daemon: freeradiusCan’t load ‘/usr/lib/perl5/auto/DBI/DBI.so’ for module DBI: /usr/lib/perl5/auto/DBI/DBI.so: undefined symbol: PL_memory_wrap at /usr/lib/perl/5.10/DynaLoader.pm line 192.
at /usr/lib/perl5/DBI.pm line 265
BEGIN failed–compilation aborted at /usr/lib/perl5/DBI.pm line 265.
Compilation failed in require at /etc/freeradius/dump.pl line 2.
BEGIN failed–compilation aborted at /etc/freeradius/dump.pl line 2.
failed!

——

after a little googleing I find out solution, all you need is to preload perl library:

LD_PRELOAD=/usr/lib/libperl.so.5.10.1 /usr/sbin/freeradius -X

Note: you will need to find out your perl library path:
# find /usr/lib/ -name “libperl.so*”

you also need to update your init script just like this :

LD_PRELOAD=/usr/lib/libperl.so.5.10.1 start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $PROGRAM — $FREERADIUS_OPTIONS ……

2012-07-17

Freeradius – check nested ldap group membership

Filed under: Linux — Nasser Heidari @ 15:23
Tags: ,

if your organization have lots of users and groups , you also may use nested groups.
for example, UserA is a member of SalesGroup, and SalesGroup is a member of VPN_Group.
I want all members of VPN_GROUP able to connect to VPN Server. if you use normal groupmembership_filter in your ldap module , then UserA will not be able to authenticate as he is not a member of VPN_Group.
If you need such thing , then the only way (that I know) is making use of active directory Matching rule OID (LDAP_MATCHING_RULE_IN_CHAIN).

I made it work using following group membership query in ldap module:

groupmembership_filter = "(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"

read more here about ldap search filters.

Create a free website or blog at WordPress.com.