Alan DeKok <aland@deployingradius.com> ezt írta (időpont: 2021. máj. 6., Cs, 13:39):
On May 6, 2021, at 5:57 AM, Pisch Tamás <pischta@gmail.com> wrote:
Great, thanks. I feel myself lost in a jungle.
That's RADIUS. :(
Yes, I understood that not freeradius is complex, but RADIUS itself.
You want to use RADIUS, but that really means using LDAP, Kerberos, SASL, and GSSAPI. How do all those work together? I don't know, I've got way too many other things to remember.
Maybe my situation is not so complex. I explained it to Michael.
But as we see with the complaint the other day, some people are enthusiastic about laying blame, but are horrified at the thought of contributing.
Yes, I see.
The documentation is full of concrete examples. Sadly, not this one. So... if you figure out it, PLEASE tell us, so we can document it, and no one else has to go through this pain.
I found example for AD authentication. For authorization with group filtering - I don't remember (maybe there is, just I don't remember for it).
You can try to set KRB5_TRACE to let libkrb5 write debug logs.
Ok, I did it. When I use kinit, I can see messages in the log. When I start freeradius, nothing new appears in the log with tls { start_tls = no } sasl { mech = 'GSSAPI' realm = 'ad.ourdomain.hu' } I tried with start_tls again, with require_cert<-->= 'allow' But it didn't help. I still get "Strong(er) authentication required" message.
So the issue is that your LDAP server doesn't do TLS, but something else. And then there's the issue of chaining together a complex solution of FreeRADIUS to libldap to SASL GSSAP to Kerberos, and finally to LDAP.
Hope my situation isn't so complex, just the conversation went into the jungle... :) I got information privatelí about a samba setting: ldap server require strong aut It has options: yes/no/ allow_sasl_over_tls Default is yes. With 'no' the authentication and authorization works... with a little flaw: it accepts users who is not in vpnusers group. With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er) authentication required". My questions are: -With this 'no' option is the ldap auth insecure? -Why group filtering doesn't work? With these settings in the ldap module: ldap{ server = 'localhost' identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' base_dn = 'dc=ad,dc=ourdomain,dc=hu' group { membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})' } tls { start_tls = yes require_cert = 'allow' } } I tried to set up filtering according to https://wiki.freeradius.org/modules/Rlm_ldap Changes in ldap module: ldap{ groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" membership_attribute = 'memberOf' In default site: authorize { ldap } post-auth { if (LDAP-Group == "CN=vpnusers") { noop } else { reject } } I tried the condition with if (LDAP-Group == "CN=vpnusers,CN=Users,DC=ad,DC=ourdomain,DC=hu") { but without success. Debug output: mschap: Authenticated successfully (0) mschap: adding MS-CHAPv1 MPPE keys (0) [mschap] = ok (0) } # authenticate = ok (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default (0) post-auth { (0) if (LDAP-Group == "CN=vpnusers") { (0) Searching for user in group "CN=vpnusers" rlm_ldap (ldap): Reserved connection (1) (0) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) --> (uid=vpn) (0) Performing search in "dc=ad,dc=ourdomain,dc=hu" with filter "(uid=vpn)", scope "sub" (0) Waiting for search result... rlm_ldap (ldap): Rebinding to URL ldap:// ad.ourdomain.hu/CN=Configuration,DC=ad,DC=ourdomain,DC=hu rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) Search returned no results I checked with ldapsearch: ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D "cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W "(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))" It gives the vpnusers object as a result. Thanks, Tamás.