Returning attributes based on group membership using NTLM_AUTH

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Aug 3 08:15:16 CEST 2011


Coooorrrrect ! :)

-Arran


On 3 Aug 2011, at 06:19, Moe, John wrote:

> Sorry to reply to my own post, but I think I've found the answer; can
> someone let me know if I'm on the right track?
> 
> I believe that I should be using ntlm_auth to *only* validate the *password*
> in the authenticate section.  And then I'll need to configure the LDAP
> module and use Ldap-Group as an additional item to match against in the
> users file to return the appropriate Service-Type attribute?
> 
> John H. Moe
> Network Support - Hatch IT
> HATCH
> Tel: +61 (7) 3166 7777
> Direct: +61 (7) 3166 7684
> Fax: +61 (7) 3368 3754
> Mobile: +61 438 772 425
> 61 Petrie Terrace, Brisbane, Queensland Australia 4000
> 
>> -----Original Message-----
>> From: freeradius-users-bounces+jmoe=hatch.com.au at lists.freeradius.org
>> [mailto:freeradius-users-
>> bounces+jmoe=hatch.com.au at lists.freeradius.org] On Behalf Of Moe, John
>> Sent: Wednesday, 3 August 2011 9:33 AM
>> To: freeradius-users at lists.freeradius.org
>> Subject: Returning attributes based on group membership using NTLM_AUTH
>> 
>> I'm trying to set up switch logons for IT staff.  Some will get
>> operator
>> (limited, read-only) access, some get manager (full) access.  I've got
>> two
>> Active Directory groups that control which access they get.
>> 
>> I've got the ntlm_auth section working with two different instances,
>> one for
>> each, using the "--require-membership-of" switch to ntlm_auth.
>> 
>> **** modules/ntlm_auth ****
>> 
>> exec ntlm_auth.swcmgr {
>>        wait = yes
>>        program = "/usr/bin/ntlm_auth --request-nt-key --domain=
>> MYDOMAIN
>> --username=%{User-Name} --password=%{User-Password}
>> --require-membership-of=MYDOMAIN\\SWITCH-MANAGERS"
>> }
>> 
>> exec ntlm_auth.swcoper {
>>        wait = yes
>>        program = "/usr/bin/ntlm_auth --request-nt-key --domain=
>> MYDOMAIN
>> --username=%{User-Name} --password=%{User-Password}
>> --require-membership-of=MYDOMAIN\\SWITCH-OPERATORS"
>> }
>> 
>> **** End of file ****
>> 
>> I've also got the following in my users file:
>> 
>> **** users ****
>> 
>> DEFAULT         Auth-Type = ntlm_auth.swcmgr, Service-Type == 7,
>> NAS-Port-Type == 5
>>        Service-Type := 6,
>> #       Fall-Through = Yes
>> 
>> #DEFAULT                Auth-Type = ntlm_auth.swcoper, Service-Type ==
>> 7,
>> NAS-Port-Type == 5
>> #       Service-Type := 7
>> 
>> **** End of file ****
>> 
>> And in sites-enabled/default, I've listed these two in the authenticate
>> section.
>> 
>> With the config above, it'll let managers in with manager access, but
>> not
>> operators.  If I comment out the first DEFAULT line in the users file,
>> and
>> uncomment the second, it'll let operators in with operator access, but
>> not
>> managers.  But if I uncomment out both, operators get denied access on
>> the
>> first DEFAULT line, and processing stops.  If I uncomment out the
>> "Fall-Through" line, it appears to only fall-through on success of the
>> first
>> DEFAULT section, not on failure.
>> 
>> What's the best way to accomplish what I want?  I think I'd need to use
>> unlang somehow, but the sites-enabled/default says unlang should go in
>> post-auth, and I think I need it in the authenticate section?  Or
>> should I
>> be looking to do it in the modules/ntlm_auth file?  Is this too
>> complicated
>> for unlang, should I be looking at perl or python?  Or am I
>> overcomplicating
>> things?  Any pointers would be appreciated.
>> 
>> 
>> John H. Moe
>> Network Support - Hatch IT
>> HATCH
>> Tel: +61 (7) 3166 7777
>> Direct: +61 (7) 3166 7684
>> Fax: +61 (7) 3368 3754
>> Mobile: +61 438 772 425
>> 61 Petrie Terrace, Brisbane, Queensland Australia 4000
> 
> 
> *****************************
> NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. 
> Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks.  When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements.  Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent.  Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail.  If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell
a.cudbardb at freeradius.org

RADIUS - Half the complexity of Diameter





More information about the Freeradius-Users mailing list