Active directory integration and grant access base on AD group membership
Hi, I am trying to setup a radius server on centos6.8. I succeeded to setup the active directory integration by following the guide at http://wiki.freeradius.org/guide/freeradius-active-directory-integration-how... . So I can get my user authentificate through the active directory. Now I would like grant system access base on group membership from active directory. How can this be done. I have tried by configuring the users and huntgroup files, but look like it grant access to everyone if username/password is good. -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster
On Tue, Feb 14, 2017 at 11:23:33AM -0500, Luc Paulin wrote:
Now I would like grant system access base on group membership from active directory. How can this be done. I have tried by configuring the users and huntgroup files, but look like it grant access to everyone if username/password is good.
Have a look at group support in rlm_ldap. http://wiki.freeradius.org/modules/Rlm_ldap#group-support Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thanx Matthew, I already had a look at that url but look like it doesn't work. must be something I am not doing right .. but unsure what .. I have create a huntgroup which look like this .. wireless NAS-IP-Address == 10.1.0.81 and my users file only has the following line in it .. DEFAULT Ldap-Group == "admin-galaxie", Huntgroup-Name == "wireless" So my understand is that users that aren't member of the wireless-users group shouldn't be granted access to the wireless network/device. But that isn't what happenning .. everyone is granted access I have attach my radiusd -x log output -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2017-02-14 11:33 GMT-05:00 Matthew Newton <mcn4@leicester.ac.uk>:
On Tue, Feb 14, 2017 at 11:23:33AM -0500, Luc Paulin wrote:
Now I would like grant system access base on group membership from active directory. How can this be done. I have tried by configuring the users and huntgroup files, but look like it grant access to everyone if username/password is good.
Have a look at group support in rlm_ldap.
http://wiki.freeradius.org/modules/Rlm_ldap#group-support
Matthew
-- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Feb 14, 2017, at 11:57 AM, Luc Paulin <paulinster@gmail.com> wrote:
Thanx Matthew, I already had a look at that url but look like it doesn't work.
It works if you follow the documentation.
must be something I am not doing right .. but unsure what ..
I have create a huntgroup which look like this ..
wireless NAS-IP-Address == 10.1.0.81
and my users file only has the following line in it ..
DEFAULT Ldap-Group == "admin-galaxie", Huntgroup-Name == "wireless"
So my understand is that users that aren't member of the wireless-users group shouldn't be granted access to the wireless network/device. But that isn't what happenning .. everyone is granted access
That's not how the "users" file works. Please read the documentation to see how it works. That DEFAULT entry just checks if the LDAP-Group and Huntgroup-Name match. It doesn't *do* anything if they match, or if they don't match. You should write your policies in "unlang". It's clearer: authorize { ... # check only the first packet of EAP, and all non-EAP if (!&EAP-Message || !State) { if ((Huntgroup-Name == "wireless") && (Ldap-Group != "admin-galaxies")) { reject } } It's *much* easier to write clear if / then / else statements, instead of relying on your assumption about how the "users" file works. Alan DeKok.
Ok thanx for your reply .. I think that I now start to better understand how the this work.. So policies need/can be written within the auth so we can reject request base on the person's group membership and huntgroup .. So base on this I made this simple switch case that I added to the authorize section after the ldap module switch Huntgroup-Name { case "wireless1" { if (Ldap-Group != "admin-galaxie") { reject } } case "wireless2"{ if (Ldap-Group != "devopsusers") { reject } } case { reject } } However when I test I dont seem to be getting the expecting result. ++[pap] = noop ++switch Huntgroup-Name { ++switch Huntgroup-Name { +++case wireless2 { ++++? if (Ldap-Group != "devopsusers") [ldap] Entering ldap_groupcmp() expand: DC=corp,DC=stingraydigital,DC=com -> DC=corp,DC=stingraydigital,DC=com expand: (&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})) -> (&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in DC=corp,DC=stingraydigital,DC=com, with filter (&(cn=devopsusers)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom))) *rlm_ldap::ldap_groupcmp: User found in group devopsusers* [ldap] ldap_release_conn: Release Id: 0 *? Evaluating (Ldap-Group != "devopsusers") -> TRUE* *++++? if (Ldap-Group != "devopsusers") -> TRUE* ++++if (Ldap-Group != "devopsusers") { +++++[reject] = reject ++++} # if (Ldap-Group != "devopsusers") = reject +++} # case wireless2 = reject ++} # switch Huntgroup-Name = reject +} # group authorize = reject Look like the Ldap-Group did found that the user is member of the devopsuser group, which is correct, however, when I do the negative compare (!=) it also return true. I have also tried with "==" got the exact same result, ++[pap] = noop ++switch Huntgroup-Name { ++switch Huntgroup-Name { +++case wireless2 { ++++? if (Ldap-Group == "devopsusers") [ldap] Entering ldap_groupcmp() expand: DC=corp,DC=stingraydigital,DC=com -> DC=corp,DC=stingraydigital,DC=com expand: (&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn})) -> (&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in DC=corp,DC=stingraydigital,DC=com, with filter (&(cn=devopsusers)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom))) *rlm_ldap::ldap_groupcmp: User found in group devopsusers* [ldap] ldap_release_conn: Release Id: 0 *? Evaluating (Ldap-Group == "devopsusers") -> TRUE* *++++? if (Ldap-Group == "devopsusers") -> TRUE* ++++if (Ldap-Group == "devopsusers") { +++++[reject] = reject ++++} # if (Ldap-Group == "devopsusers") = reject +++} # case wireless2 = reject ++} # switch Huntgroup-Name = reject +} # group authorize = reject Thanx for you help -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2017-02-14 12:03 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Feb 14, 2017, at 11:57 AM, Luc Paulin <paulinster@gmail.com> wrote:
Thanx Matthew, I already had a look at that url but look like it doesn't work.
It works if you follow the documentation.
must be something I am not doing right .. but unsure what ..
I have create a huntgroup which look like this ..
wireless NAS-IP-Address == 10.1.0.81
and my users file only has the following line in it ..
DEFAULT Ldap-Group == "admin-galaxie", Huntgroup-Name == "wireless"
So my understand is that users that aren't member of the wireless-users group shouldn't be granted access to the wireless network/device. But that isn't what happenning .. everyone is granted access
That's not how the "users" file works. Please read the documentation to see how it works.
That DEFAULT entry just checks if the LDAP-Group and Huntgroup-Name match. It doesn't *do* anything if they match, or if they don't match.
You should write your policies in "unlang". It's clearer:
authorize { ...
# check only the first packet of EAP, and all non-EAP if (!&EAP-Message || !State) { if ((Huntgroup-Name == "wireless") && (Ldap-Group != "admin-galaxies")) { reject } }
It's *much* easier to write clear if / then / else statements, instead of relying on your assumption about how the "users" file works.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Feb 15, 2017, at 12:15 PM, Luc Paulin <paulinster@gmail.com> wrote:
Ok thanx for your reply .. I think that I now start to better understand how the this work.. So policies need/can be written within the auth so we can reject request base on the person's group membership and huntgroup ..
So base on this I made this simple switch case that I added to the authorize section after the ldap module
OK.
However when I test I dont seem to be getting the expecting result.
++[pap] = noop
You're running version 2. Ugh. Why not upgrade to a version of the server which was released in the last 5 years?
Look like the Ldap-Group did found that the user is member of the devopsuser group, which is correct, however, when I do the negative compare (!=) it also return true. I have also tried with "==" got the exact same result,
In v2, you have to do: if (!(LDAP-Group == "foo")) { This is fixed in v3. There are a LOT of good reasons for upgrading to v3. Alan DeKok.
Thank you, that work .. Thanx! I'll definately look at upgrading to v3. I did notice that my version was so old. I just took the one our the centos6's repo . -Luc -- !!!!! ( o o ) --------------oOO----(_)----OOo-------------- Luc Paulin email: paulinster(at)gmail.com Skype: paulinster 2017-02-15 12:21 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Feb 15, 2017, at 12:15 PM, Luc Paulin <paulinster@gmail.com> wrote:
Ok thanx for your reply .. I think that I now start to better understand how the this work.. So policies need/can be written within the auth so
we
can reject request base on the person's group membership and huntgroup ..
So base on this I made this simple switch case that I added to the authorize section after the ldap module
OK.
However when I test I dont seem to be getting the expecting result.
++[pap] = noop
You're running version 2. Ugh. Why not upgrade to a version of the server which was released in the last 5 years?
Look like the Ldap-Group did found that the user is member of the devopsuser group, which is correct, however, when I do the negative compare (!=) it also return true. I have also tried with "==" got the exact same result,
In v2, you have to do:
if (!(LDAP-Group == "foo")) {
This is fixed in v3. There are a LOT of good reasons for upgrading to v3.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (3)
-
Alan DeKok -
Luc Paulin -
Matthew Newton