Radius + LDAP + SecurID

Marc Phillips rmarc at copacetic.net
Thu Feb 3 03:42:03 CET 2011


So I've been beating my head against a wall on this
for a few days, so I figured I'd share what "worked"
now that the swelling has gone down.

Configuration is fairly straight forward.  I have
authorization via LDAP (AD), and Authentication via
SecurID (via PAM..yeah, I know you aren't s'posed to
use PAM 'cause of mem leaks, and the SecurID one certainly
had 'em, but the latest module has been stable in Radius 1.1.7
for me for over 2 years on multiple platforms).

I previously had a simple radius to securid bridge I'm just
now adding in LDAP.

Using FreeRadius 2.1.10 (I patched it for an exec callout
which can be found in the devel group).

Used the "default" site and enabled ldap:

authorize {
        preprocess
        auth_log
	# This is important and (it's ommision) was 
	# the cause of the lump on my skull
        files 
        ldap
}
authenticate {
        pam 
}

modules/ldap
ldap {
        server = "mydc"
        port = 636
        identity = "exec:my_callout"
        password = "exec:my_callout"
        basedn = "dc=some,dc=corp,dc=com"
        filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})"
        ldap_connections_number = 5
        timeout = 4
        timelimit = 3
        net_timeout = 1
        tls_mode= yes
        tls {
                start_tls = no
                cacertfile      = /path/to/cafile
                require_cert    = "demand"
        }
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
        groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
        groupmembership_attribute = "memberOf"
        chase_referrals = no
        rebind = no
        set_auth_type = no
}


users file:

DEFAULT Ldap-Group == "admins", Auth-Type = pam
        Reply-Message = "Hello (admin), %{User-Name}",
	....(other attributes)
        Fall-Through = No

DEFAULT Ldap-Group == "Operators", Auth-Type = pam
        Reply-Message = "Hello (operator), %{User-Name}",
	....(other attributes)
        Fall-Through = No

DEFAULT Auth-Type := Reject
        Reply-Message = "you are not authorized"


So what happens is the user sends his request, the user ID is looked
up in AD and then the groups are looked up for that user, in the order
listed in the users file, until a match is found.  If a match is found,
it passes to the Auth-Type for authentication otherwise sends back a reject.

Note, this is a basic POC config.  

As another note, I found a python module (pyrad, not py-radius) very helpful
in debugging this.  radtest is nice, but I don't like entering my pin in he clear
on a shared unix box.  Here's a script I used  for that (merged the good of the py-radius
example with the pyrad example):

-------------cut --------------------------
#!/usr/bin/python

import socket, sys
import pyrad.packet
from getpass import getpass
from pyrad.client import Client
from pyrad.dictionary import Dictionary

secret = ''
uname,passwd = None,None

while not secret: secret = getpass('RADIUS Secret? ')
while not uname:  uname  = raw_input("Username? ")
while not passwd: passwd = getpass("Password? ")

srv=Client(server="localhost",
           secret=secret,
           dict=Dictionary("/path/to/dictionary"))

print "read dictionary"

req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,
                         User_Name=uname)

req["User-Password"]=req.PwCrypt(passwd)

req["Service-Type"]       = "Login-User"

try:
    print "Sending authentication request"
    reply=srv.SendPacket(req)
except pyrad.client.Timeout:
    print "RADIUS server does not reply"
    sys.exit(1)
except socket.error, error:
    print "Network error: " + error[1]
    sys.exit(1)

if reply.code==pyrad.packet.AccessAccept:
    print "Access accepted"
else:
    print "Access denied"

print "Attributes returned by server:"
for i in reply.keys():
    print "%s: %s" % (i, reply[i])
-----------cut ---------------------------

R. Marc



More information about the Freeradius-Users mailing list