Returning attributes based on group membership using NTLM_AUTH

Tue Aug 9 00:01:32 CEST 2011

> -----Original Message-----
> From: freeradius-users-bounces+jmoe=hatch.com.au at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+jmoe=hatch.com.au at lists.freeradius.org] On Behalf Of Alexander
> Clouter
> Sent: Monday, 8 August 2011 6:14 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Re: Returning attributes based on group membership using
> NTLM_AUTH
> 
> Moe, John <jmoe at hatch.com.au> wrote:
> >
> > Oh goodie, I'm getting somewhere.  :-)
> >
> ...except on the top posting front <email-nazi/>. ;P

You know, I even thought of that before I sent it, but noticed that the
reply to which I was replying to was top-posted, so I assumed that this list
was weird in that respect.  I should have known better.

> > 1) So, I don't need to uncomment "ldap" in the authenticate section,
> as it's
> > not going to do the password validation, right?
> >
> Sounds right.
> >
> > 2) Do I just configure the module, put "ldap" in the authorize
> section of
> > sites-enables/default, and put "Ldap-Group" in the check-items?
> >
> Indeed.

I wasn't sure if putting "ldap" into the authenticate would do some sort of
pre-configured checking on its own, even without the Ldap-Group check-item,
but the more I read, the more it looked like that wasn't the case.  Glad to
hear I had it straight.

> > 3) How much/what options do I need to configure in the ldap module
> config?
> > I've configured server, basedn, filter, groupname_attribute,
> > groupmembership_filter and groupmembership_attribute, but all I get
> is
> > "Operations error".  If I add identity and secret, I get a "Referral"
> failure.
> > I've also tried the chase_referrals and rebind options, both with and
> without
> > the identity/secret optinos, but they don't seem to change anything.
> >
> What does the following give you from the command line:
> ----
> ldapsearch -LLL -x -h mygc.my.domain.name -b dc=my,dc=domain,dc=name
> sAMAccountName=username
> ----

Operations error (1)
Additional information: 00000000: LdapErr: DSID-0C090627, comment: In order
to perform this operation a successful bind must be completed on the
connection., data 0, vece

However, if I take out the "-x", I got an error saying my Kerberos ticket
had expired.  I did a kdestroy and kinit again, with the "-x", it still gave
the error above.  Without the "-x", I get what looks like a listing of all
the account attributes.  However, at the bottom, it says:

# search reference
ref:
ldap://DomainDnsZones.my.domain.name/DC=DomainDnsZones,DC=my,DC=domain,DC
  =name

# search result
search: 5
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1

So something still isn't right.

> Until you can get 'ldapsearch' to work, you are unlikely to get
> FreeRADIUS to work.  From the debug output and your description, it
> sounds more like a "how you are using LDAP" rather than "how FreeRADIUS
> is using LDAP" problem.
> 
> If you can get ldapsearch to display the attributes you are after, then
> you can start to tinker with FreeRADIUS.

Yeah, I kinda figured it was a "I'm not sure how to configure LDAP properly
to talk to my AD".  Thanks for the assistance.  I'll have a play around with
ldapsearch for a while and see if I can't figure this out.

[ snip ]

> If you have the stomach, a quick Google search takes you to the PHP
> website[1] (ewwww) but there is a posting that you should find useful.
> Looks like with Win2k3 you must have referrer following turned off and
> you cannot search the *whole* base of your directory, you can only
> search a sub-branch.  I suspect the fix is nothing more than setting
> 'basedn' to "ou=lusers,dc=my,dc=domain,dc=name".

Well, as I said before, I tried with and without "chase_referrals" set.  But
I didn't mention that I tried using a BaseDN of the container the test user
is in, rather than just the root of the domain, and it didn't change the
result.  I'll have a read through of that article you linked and see if it
helps as well.

And if I use ldp.exe (comes with Windows), or Softerra's LDAP Browser, I can
connect to the same host, bind using the same credentials, use the same
basedn and search using the same filter, and I get results.  So I'm not sure
what I'm doing wrong.

> Cheers
> 
> [1] http://www.php.net/manual/en/function.ldap-search.php#45388
> 
> --
> Alexander Clouter
> .sigmonster says: Without fools there would be no wisdom.
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

OT and perhaps reply off list, but I'm curious why you say "ewwww" to PHP,
and what you would use instead?

John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4011

*****************************
NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. 
Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks.  When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements.  Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent.  Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail.  If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5549 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110809/e292860e/attachment.bin>