FreeRadius with Google PAM - Hardcode LDAP Servers for rlm_ldap

Joe Nordone joenordone at aol.com
Tue Aug 11 03:07:34 CEST 2020


Typically a ldap query goes to the gc when your search parameters are too broad and or not configured properly. What configuration do you have setup for the group portion of ldap.conf?

Thanks!
—joe 

> On Aug 10, 2020, at 12:05 PM, Brandt Winchell <brandt.winchell at thinkon.com> wrote:
> 
> Hello,
> I have an issue which I am sure is easy to fix but I cannot find the correct file/setting.  Let me explain:
> 
> Environment:
> Active Directory - backend authentication.  The AD environment is setup as a hub & spoke design.  This means not all domain controllers (GC) are accessible from everywhere (by design & security)
> Freeradius - CentOS7 server FreeRadius-3.0.13
> 
> Source Setup:
> It is basically a setup following this site:
> https://kb.hillstonenet.com/en/wp-content/uploads/2019/09/SSLVPN-Two-factor-Authentication-with-Google-Authenticator.pdf
> 
> Validations:
> SSSD = Server joined to the domain fine.  Can login to the local server with a domain account.  ident tests resolve fine
> DNS = hostname and any GC server resolves correctly
> AD search results = **while in subnet80, works correctly**
> Google Authenticator PAM = **while in subnet80, works correctly**
> 
> 
> Issue:
> When I have the FreeRadius server in subnet80 (172.16.80.0/24 hub site and can talk to any GC server), the configuration works fine.  So I know the basic configurations are working as designed.
> When I move the FreeRadius server into subnet 99 (172.16.99.0/24 restricted site that can only talk to 172.16.80.0/24), radius fails to get any results from GC servers.  There is a firewall between these subnets.
> I have configured the following files to specify which GC servers FreeRadius should use:
> /etc/raddb/mods-available/ldap
>                ldap {
>                               server = 'dc01.domain.local'
>                               server = 'dc02.domain.local'
>                                start_tls = no
>                               port = 389
>                               identity = 'CN=ad-read-account,DC=domain,DC=local'
>                               password = 'xxxxxxx'
>                                base_dn = 'DC=domain,DC=local'
> 
> /etc/sssd/sssd.conf
>                [sssd]
>                                domains = domain.local
>                                services = nss, pam
>                [domain/domain.local]
>                                id_provider = ad
>                                access_provider = ad
>                                ad_server = dc01.domain.local
>                                ad_backup_server = dc02.domain.local
>                                krb5_realm = DOMAIN.LOCAL
>                                krb5_server = dc01.domain.local
>                                kerb5_backup_server = dc02.domain.local
>                                ldap_uri = ldap://dc01.domain.local
> 
> 
> /etc/krb5.conf
>                [libdefaults]
>                                dns_lookup_realm = false
>                                dns_lookup_kdc = false
>                [realms]
>                                DOMAIN.LOCAL = {
>                                                kdc = dc01.domain.local
>                                                kdc = dc02.domain.local
>                [domain_realm}
>                                domain.local = DOMAIN.LOCAL
>                                .domain.local = DOMAIN.LOCAL
> 
> 
> When I run "radiusd -CX".  I get an ready to process requests for configuration check.
> When I run "radiusd -X", this is the where the process fails/hangs:
> rlm_ldap (ldap): Connecting to ldap://dc01.domain.local:389 ldap://dc02.domain.local:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (5)
> (0)     EXPAND (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})
> (0)        --> (userPrincipalName=user1 at domain.local)
> (0)     Performing search in "DC=domain,DC=local" with filter "(userPrincipalName=user1 at domain.local)", scope "sub"
> (0)     Waiting for search result...
> 
> This will sit there until the LDAP search times out.
> 
> When I perform a packet capture during this time, what I see:
> 1 radius performs a DNS query for forestdnszones.domain.local SOA dc01.domain.local
> 2 dns server responds with records of ALL GC servers
> 3 radius then tries to connect to a GC server it does not have access to (due to the security restrictions)
> 
> 
> 
> Resolution:
> It seems that the FreeRadius LDAP module is trying to find the SRV record for LDAP.  Of course DNS responds with all LDAP SRV records.
> What I need to be able to do is restrict what LDAP servers FreeRadius is trying to use.  This seems very similar to SSSD Service Discovery.
> 
> 
> Any assistance on this one would be appreciated.
> btw...
> I cannot post full debug logs due to security but will provide any additional info that might assist with this
> 
> Thanks
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list