I am using LDAP authorization. What I am looking to accomplish is to reject/deny (so not even attempt authentication) for disabled users. I am authentication against AD (use LDAP for authorize and ntlm for authentication). If I were to search for all none disabled users using ldapsearch, the filter query for this would be: !(userAccountControl:1.2.840.113556.1.4.803:=2) That is the part that limits the results to only enabled users. Wondering how I would do this in FreeRadius? Even on a more general level how I would reject based off certain returned attributes. Thanks
Matthew Ceroni wrote:
I am using LDAP authorization. What I am looking to accomplish is to reject/deny (so not even attempt authentication) for disabled users.
I am authentication against AD (use LDAP for authorize and ntlm for authentication).
If I were to search for all none disabled users using ldapsearch, the filter query for this would be: !(userAccountControl:1.2.840.113556.1.4.803:=2)
You can add this to the LDAP query which finds users. That's why the query is editable in the config files.
That is the part that limits the results to only enabled users. Wondering how I would do this in FreeRadius? Even on a more general level how I would reject based off certain returned attributes.
That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS attributes. Then, use unlang to write your policy. Alan DeKok.
That is what I tried. So I set base_filter = "(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows [ldap] user XXXXXX authorized to use remote access So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)? On Thu, Mar 7, 2013 at 6:41 AM, Alan DeKok <aland@deployingradius.com>wrote:
Matthew Ceroni wrote:
I am using LDAP authorization. What I am looking to accomplish is to reject/deny (so not even attempt authentication) for disabled users.
I am authentication against AD (use LDAP for authorize and ntlm for authentication).
If I were to search for all none disabled users using ldapsearch, the filter query for this would be: !(userAccountControl:1.2.840.113556.1.4.803:=2)
You can add this to the LDAP query which finds users. That's why the query is editable in the config files.
That is the part that limits the results to only enabled users. Wondering how I would do this in FreeRadius? Even on a more general level how I would reject based off certain returned attributes.
That's what ldap.attrmap is for. Map the LDAP attributes to RADIUS attributes. Then, use unlang to write your policy.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthew Ceroni wrote:
That is what I tried. So I set
base_filter = "(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows
Does that filter work when you use it with the command-line ldap search tool?
[ldap] user XXXXXX authorized to use remote access
So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)?
Use ldap.attrmap, as I said in my previous message. Alan DeKok.
Alan: Yes, that works when run through ldapsearch. I was able to get the attribute checking working (added to dictionary, then ldap.attrmap) so I can now reject based on the value of an attribute. Thanks for the input on that. However, if the user isn't found in LDAP (Active Directory), how do I get it to outright reject the user? I can't do attribute checking (tried that and checking for an empty value, but got attribute was not found). Right now if the user isn't found in LDAP it happily goes to authentication (which for testing purposes right now is just using the users file). On Thu, Mar 7, 2013 at 10:22 AM, Alan DeKok <aland@deployingradius.com>wrote:
Matthew Ceroni wrote:
That is what I tried. So I set
base_filter = "(&(objectclass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
But what I am finding is whether the user is found and enabled, user is found but disabled, or user isn't found at the output (from radius debug) shows
Does that filter work when you use it with the command-line ldap search tool?
[ldap] user XXXXXX authorized to use remote access
So then it continues onto the authorization part. How do I get it to reject if the user isn't found (or user is disabled)?
Use ldap.attrmap, as I said in my previous message.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 07.03.2013 22:06, Matthew Ceroni wrote:
Alan:
Yes, that works when run through ldapsearch.
I was able to get the attribute checking working (added to dictionary, then ldap.attrmap) so I can now reject based on the value of an attribute. Thanks for the input on that.
However, if the user isn't found in LDAP (Active Directory), how do I get it to outright reject the user? I can't do attribute checking (tried that and checking for an empty value, but got attribute was not found). Right now if the user isn't found in LDAP it happily goes to authentication (which for testing purposes right now is just using the users file).
authorize { ldap if (notfound) { reject } Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: olivier@heliosnet.org
participants (3)
-
Alan DeKok -
Matthew Ceroni -
Olivier Beytrison