LDAP scope
Gary Algier
gaa at ulticom.com
Thu Jan 5 23:07:30 CET 2006
Stefan Adams wrote:
> Hi!
>
> Is it possible to specify a basedn of "dc=example,dc=com" with a scope
> of "sub" so that my search filters can apply to both "ou=People" and
> "ou=Computers" for example? It seems from my testing that the scope
> is "one" by default.
From my experience it is a scope of "sub" by default. My people are
in the data store like:
dn: uid=gaa,ou=people,dc=ulticom,dc=com
and my ldap section of radius.conf is:
ldap {
server = "ldap.ulticom.com"
basedn = "dc=ulticom,dc=com"
filter = "(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))"
do_xlat = yes
base_filter = "(objectclass=*)"
start_tls = no
access_attr = "uid"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
>
> The reason I would like to do this is to have the check box in Windows
> XP that says "Authenticate as computer..." checked. Doing this,
> FreeRADIUS is first presented with the credentials of the computer
> (host/name). Since I already have a computer account in ou=Computers,
> I figure I'd just add a cn=host/name attribute and modify the filter
> to be (|(uid=%{User-Name})(cn=%{User-Name})). But this can only work
> with a basedn of "dc=example,dc=com" and a scope of sub.
The thing to watch out for is the actual LDAP lookup may not be
what you think. Without special regex matches or other tricks it
will only lookup your hostname. For instance with a user of "gaa"
on host "malachite", the supplied user value is "MALACHITE\GAA".
This then results in an LDAP lookup of (from radiusd -X):
-----------------------------------------------------------------------------
rlm_ldap: performing user authorization for MALACHITE\gaa
radius_xlat: '(&(objectclass=person)(uid=MALACHITE))'
radius_xlat: 'dc=ulticom,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
-----------------------------------------------------------------------------
I tried to handle it with this:
hints file:
...
DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)\\\\(.*)"
Hint = "8021XUSER",
Stripped-User-Name = `${2}`
...
users file:
...
DEFAULT Hint == "8021XUSER"
Fall-Through = 1
...
This strips the hostname off, mostly. I see it do several "uid=gaa"
lookups, then one "uid=MALACHITE" and then it fails. If you get it
to work, let me know. All I want to do is lookup the user.
If you want to use the hostname, how will you match the password? What
credentials are you expecting it to pass? I was under the assumption
that when you select "Authenticate as computer..." it expects to
use certificates (I may be wrong here).
The format of the password when using the Windows domain style login
is the Windows "encrypted" format (actually a hash, not encrypted,
but you still can't recreate the clear text password). The the default
configuration, this value is matched against the LDAP attribute
"sambaNTPassword". This assumes that you are already using
Samba for SMB/CIFS access. (I am).
>
> Thanks!
> Stefan
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals:
People don't read documentation voluntarily.
More information about the Freeradius-Users
mailing list