LDAP Authentication bind as user issue

DaveA daldwinc at uwaterloo.ca
Fri Sep 9 16:49:36 CEST 2011


This is exactly what I want, from the docs:

"If the administrator wishes to use rlm_ldap only for
authentication or does not wish to populate the identity,password
configuration attributes he can set this attribute by other means and
avoid the ldap search completely. For instance it can be set through
the hints file in the authorize section:

DEFAULT	Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`"

I followed this and cannot make it work. Configs/Tests/Results to follow…

The LDAP module stays the same for these tests. I want to use LDAPs over
port 636.
I want to authenticate the user only, preferably binding as the user.

ldap ldap.netid {
	server = "netid-dev.<redacted>.ca"
	port = 636
	basedn = "dc=netid,dc=<redacted>,dc=ca"
	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
	password_attribute = "userPassword"
}

-----------------------------------------
What we want to see:

>>> Sending proxied request internally to virtual server.
server net_id {
# Executing section authorize from file /etc/raddb/sites-enabled/net_id
+- entering group authorize {...}
[files] users: Matched entry DEFAULT at line 3
++[files] returns ok
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/net_id
+- entering group LDAP {...}
[ldap.netid] login attempt by "<redacted>" with password "TEST"
[ldap.netid] user DN: uid=<redacted>,ou=people,dc=netid,dc=<redacted>,dc=ca
  [ldap.netid] (re)connect to netid-dev.<redacted>.ca:636, authentication 1
  [ldap.netid] setting TLS mode to 1
  [ldap.netid] bind as
uid=<redacted>,ou=people,dc=netid,dc=<redacted>,dc=ca/TEST to
netid-dev.<redacted>.ca:636
  [ldap.netid] waiting for bind result ...
  [ldap.netid] Bind was successful
[ldap.netid] user <redacted> authenticated successfully
++[ldap.netid] returns ok
Login OK: [<redacted>] (from client localhost port 10 via TLS tunnel)
  WARNING: Empty post-auth section.  Using default return values.
} # server net_id
Going to the next request
<<< Received proxied response code 2 from internal virtual server.
# Executing section post-proxy from file /etc/raddb/sites-enabled/default
+- entering group post-proxy {...}
++[post_proxy_log] returns noop
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = LDAP
Found Auth-Type = Accept
Warning:  Found 2 auth-types on request for user '<redacted>'
Auth-Type = Accept, accepting the user
Login OK: [<redacted>@netid.<redacted>.ca] (from client localhost port 10)


BUT this is bad because as you can see in line 5, I've cheated to populate
the DN. In the users file, I have:

DEFAULT Auth-Type := LDAP, Ldap-UserDN :=
`uid=realusername,ou=people,dc=netid,dc=<redacted>,dc=ca`

Obviously this is no good because we need to authenticate hundreds of
people. I tried setting the uid in the line above with the User-Name
variable and that didn't fly; it doesn't get expanded.

The server for this test:

server net_id {
	
	authorize {
		files
	 }

	authenticate {
		files
		Auth-Type LDAP {
			ldap.netid
		}
	}

}

-----------------------------------------
This is what happens when I try using the hints file as suggested in the
docs:

users -
DEFAULT Auth-Type := LDAP

hints - 
DEFAULT  Ldap-UserDN :=
`uid=%{User-Name},ou=people,dc=netid,dc=<redacted>,dc=ca`

server net_id {
	
	authorize {
		# I left files here to set the Auth-Type, I also tried removing files and
adding the default auth-type to hints, which didn't work either.
		files
		preprocess
	 }

	authenticate {
		Auth-Type LDAP {
			ldap.netid
		}
	}

}


Results:

# Executing section authorize from file /etc/raddb/sites-enabled/net_id
+- entering group authorize {...}
[files] users: Matched entry DEFAULT at line 3
++[files] returns ok
[preprocess]   hints: Matched DEFAULT at 36
++[preprocess] returns ok
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/net_id
+- entering group LDAP {...}
[ldap.netid] login attempt by "<redacted>" with password "TEST"
[ldap.netid] 	expand: %{Stripped-User-Name} -> <redacted>
[ldap.netid] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=<redacted>)
[ldap.netid] 	expand: dc=netid,dc=<redacted>,dc=ca ->
dc=netid,dc=<redacted>,dc=ca
  [ldap.netid] ldap_get_conn: Checking Id: 0
  [ldap.netid] ldap_get_conn: Got Id: 0
  [ldap.netid] attempting LDAP reconnection
  [ldap.netid] (re)connect to netid-dev.<redacted>.ca:636, authentication 0
  [ldap.netid] setting TLS mode to 1
  [ldap.netid] bind as / to netid-dev.<redacted>.ca:636
  [ldap.netid] waiting for bind result ...
  [ldap.netid] Bind was successful
  [ldap.netid] performing search in dc=netid,dc=<redacted>,dc=ca, with
filter (uid=<redacted>)
  [ldap.netid] ldap_search() failed: Insufficient access. Check the identity
and password configuration directives.
  [ldap.netid] ldap_release_conn: Release Id: 0
++[ldap.netid] returns fail
Failed to authenticate the user.
Login incorrect: [<redacted>] (from client localhost port 10 via TLS tunnel)

This way it binds anonymously, and then fails to do an ldapsearch because of
insufficient privs. Giving * read to all seems silly, and I would rather not
go that route.

If anyone has suggestions or comments they would be greatly appreciated.

Dave


--
View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Authentication-bind-as-user-issue-tp4786621p4786621.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list