Hi, Have done a bit of work on rlm_pap and added the ability to pass the username/password through to AD via winbind, complementing the code in rlm_mschap and replacing the need for mods-available/ntlm_auth. This should mostly help people permitting EAP-TTLS/PAP as one of their available methods, as another call out to ntlm_auth can be avoided, and it's convenient to use the same setup as rlm_mschap rather than e.g. having to configure ldap as well. rlm_mschap isn't the best place for this, and it doesn't seem entirely fitting with rlm_pap either, so if anyone's got suggestions for a better place for it then shout... So, only password changes to go, then ntlm_auth can be done away with entirely :-) Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On 31 May 2016, at 18:02, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Hi,
Have done a bit of work on rlm_pap and added the ability to pass the username/password through to AD via winbind, complementing the code in rlm_mschap and replacing the need for mods-available/ntlm_auth.
This should mostly help people permitting EAP-TTLS/PAP as one of their available methods, as another call out to ntlm_auth can be avoided, and it's convenient to use the same setup as rlm_mschap rather than e.g. having to configure ldap as well.
rlm_mschap isn't the best place for this, and it doesn't seem entirely fitting with rlm_pap either, so if anyone's got suggestions for a better place for it then shout...
Nice! I'd say rlm_wbclient PAP is more for password comparisons. With this you're sending the credentials off to a remote system. rlm_wbclient could include the MSCHAPv2 code too, and password change, and group retrieval. libwbclient can do a lot more than we're currently using it for. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
On May 31, 2016, at 7:25 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
I'd say rlm_wbclient
I agree, It's different enough from rlm_pap that it deserves a different module.
PAP is more for password comparisons. With this you're sending the credentials off to a remote system.
rlm_wbclient could include the MSCHAPv2 code too, and password change, and group retrieval. libwbclient can do a lot more than we're currently using it for.
Hmm. that way lies madness. But yes, it's not *completely* out of the question. Alan DeKok.
On Tue, May 31, 2016 at 07:33:22PM -0400, Alan DeKok wrote:
On May 31, 2016, at 7:25 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
I'd say rlm_wbclient
I agree, It's different enough from rlm_pap that it deserves a different module.
OK, I'll separate it out. I wondered about a different module, but it's so small that a separate module didn't quite seem worth it. But I agree that is probably cleaner.
PAP is more for password comparisons. With this you're sending the credentials off to a remote system.
rlm_wbclient could include the MSCHAPv2 code too, and password change, and group retrieval. libwbclient can do a lot more than we're currently using it for.
Hmm. that way lies madness. But yes, it's not *completely* out of the question.
Yeah. That was the other thought. But there's so much with the mschap stuff tied in with that module (calculating the challenge/responses) that it didn't seem like the two could easily be pulled out into another module. And password changes again are tied in with mschap. On the other hand, PEAP etc directly call mschap for EAP-MSCHAPv2, so maybe another hack like that :) Group retrieval is definitely another possibilty though. Hmm - maybe mschap should itself call across to rlm_wbclient. OK, madness... would only be one connection pool then, though. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On May 31, 2016, at 7:41 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
OK, I'll separate it out. I wondered about a different module, but it's so small that a separate module didn't quite seem worth it. But I agree that is probably cleaner.
rlm_pap is really for the server to do authentication itself. So that makes sense.
Group retrieval is definitely another possibilty though.
That would be nice.
Hmm - maybe mschap should itself call across to rlm_wbclient. OK, madness... would only be one connection pool then, though.
That's arguably better. We already have modules calling other modules. Alan DeKok.
On Tue, May 31, 2016 at 07:53:24PM -0400, Alan DeKok wrote:
On May 31, 2016, at 7:41 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
OK, I'll separate it out. I wondered about a different module, but
Pulled out into a new module - I called it rlm_wbclient, then renamed it all to rlm_winbind, which seems more user friendly. It's actually winbind we're authenticating via, wbclient just being the name of the library. You were both right of course, it's much cleaner. There's a bit of documentation and tidying up I've yet to do, but it works against Samba here. Not tested with AD yet. Feeling slightly better since removing rlm_smb in 41c69aa9 now... :-) All going round in circles. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Have done a bit of work on rlm_pap and added the ability to pass the username/password through to AD via winbind, complementing the code in rlm_mschap and replacing the need for mods-available/ntlm_auth.
Oh that's *nice*!
rlm_mschap isn't the best place for this, and it doesn't seem entirely fitting with rlm_pap either, so if anyone's got suggestions for a better place for it then shout...
As per Alan and Arran, probably best if it's a separate module. At least then it's very clear what to call when. :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On Wed, Jun 01, 2016 at 10:34:11AM +0000, Stefan Paetow wrote:
Have done a bit of work on rlm_pap and added the ability to pass the username/password through to AD via winbind, complementing the code in rlm_mschap and replacing the need for mods-available/ntlm_auth.
Oh that's *nice*!
Don't you dare use it, though. You should be EAP-TLS only :) It's all Alan Buxey's fault for asking if it was possible in the first place. May as well put the blame where it really lies... Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Jun 1, 2016, at 7:21 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Jun 01, 2016 at 10:34:11AM +0000, Stefan Paetow wrote:
Have done a bit of work on rlm_pap and added the ability to pass the username/password through to AD via winbind, complementing the code in rlm_mschap and replacing the need for mods-available/ntlm_auth.
Oh that's *nice*!
Don't you dare use it, though. You should be EAP-TLS only :)
That reminds me, need to add that as a compiled in restriction for .ac.uk domains. -Arran
On Wed, Jun 01, 2016 at 07:28:55PM -0400, Arran Cudbard-Bell wrote:
On Jun 1, 2016, at 7:21 PM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
Don't you dare use it, though. You should be EAP-TLS only :)
That reminds me, need to add that as a compiled in restriction for .ac.uk domains.
Fine by me :) m. -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
code in rlm_mschap and replacing the need for mods-available/ntlm_auth.
Oh that's *nice*! Don't you dare use it, though. You should be EAP-TLS only :)
The more, the merrier! If it speeds things up I don't see why not (certainly for EAP-TTLS/EAP-GTC against AD without using LDAP bind).
It's all Alan Buxey's fault for asking if it was possible in the first place. May as well put the blame where it really lies...
Yeah, he usually causes havoc. *just kidding* Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
You know, if it weren't for the fact that I'm away right now, i might bother replying to this bait ;) alan
and thanks Matthew. This functionality will mean fewer calls to external scripts! alan
participants (5)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Matthew Newton -
Stefan Paetow