Hello list, I know this isn't a direct FR related issue, but I think the people here have deep know how or some further links I can get my information I need. What I'm interested in is how the LDAP user/password authentication works, especially how FR does it. In LDAP module configuration I set an identity. For my understanding this is for the ldap bind user. With this identity FR will get access to the ldap database, to do groupmembership information or attributes and so on. But is this identity also needed for authentication only? In my setup I just want to authenticate my users against Microsoft Active Directory, authorization will be done through sql. So I thought about if I need the bind user. Am I right with this: FR or the ldap module will test if the username/password combination is correct against ldap. For that it will do a simple ldap bind with the credentials from access-request packet. So, is the identity really needed for authentication or is my understanding here wrong? Please point me to the right... Regards, Tobias Hachmer
On Fri, Jun 22, 2012 at 1:30 PM, Tobias Hachmer <lists@kokelnet.de> wrote:
In LDAP module configuration I set an identity. For my understanding this is for the ldap bind user. With this identity FR will get access to the ldap database, to do groupmembership information or attributes and so on.
correct.
But is this identity also needed for authentication only?
There are several ways you can use LDAP for authentication. For "normal" LDAP servers which stores user password in an accessible attribute with optional supported encrypted schema, you only need ldap module in authorization phase to get the attribute. This is the recommended method. Other FR modules (pap, mschap) will then process the password attribute and compare it to the one in the request. If the LDAP server does not expose user password, or store them in an unsupported encryption schema, then you need to do ldap bind. However in order to do that the request needs to be PAP, because you need the password that user inputs in plain text (i.e. user-password request attribute). Either way, you need the identity to get user attributes from the LDAP server during authorization phase. Without those attributes, authentication phase will fail.
In my setup I just want to authenticate my users against Microsoft Active Directory, authorization will be done through sql. So I thought about if I need the bind user. Am I right with this: FR or the ldap module will test if the username/password combination is correct against ldap. For that it will do a simple ldap bind with the credentials from access-request packet. So, is the identity really needed for authentication or is my understanding here wrong? Please point me to the right...
windows clients will use peap-mschapv2 for 802.1x. That means no user-password attribute in access-request packet, which means you can't do LDAP bind. AD will not give out the encrypted user's password either. So in this case you'll also need ntlm_auth and do some special setup in FR. Read http://deployingradius.com/documents/configuration/active_directory.html for details. -- Fajar
On 22.06.2012 10:18, Fajar A. Nugraha wrote:
But is this identity also needed for authentication only?
There are several ways you can use LDAP for authentication. For "normal" LDAP servers which stores user password in an accessible attribute with optional supported encrypted schema, you only need ldap module in authorization phase to get the attribute. This is the recommended method. Other FR modules (pap, mschap) will then process the password attribute and compare it to the one in the request.
If the LDAP server does not expose user password, or store them in an unsupported encryption schema, then you need to do ldap bind. However in order to do that the request needs to be PAP, because you need the password that user inputs in plain text (i.e. user-password request attribute).
Either way, you need the identity to get user attributes from the LDAP server during authorization phase. Without those attributes, authentication phase will fail.
Hmm, and when I only just want to authenticate users which are connecting via ssh to a network device I can always do PAP. In my tests I have temporarily set Auth-Type of a user to ldap. In "authorize" section I commented out the ldap module. So the ldap module is only active in "authentication" section. The Test MS AD Server has domain functional level "2008 R2" and quite default settings. In radiusd -X output the ldap module performs first the ldap bind with the identity which is configured in ldap module configuration. After that the ldap bind with user credentials provided in access-request packet: Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group LDAP {...} ++- entering redundant-load-balance group redundant-load-balance {...} [ldap3] login attempt by "a160admin-hachmer" with password "abc123!" [ldap3] expand: %{Stripped-User-Name} -> [ldap3] ... expanding second conditional [ldap3] expand: %{User-Name} -> a160admin-hachmer [ldap3] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=a160admin-hachmer) [ldap3] expand: dc=1632labor,dc=local -> dc=1632labor,dc=local [ldap3] ldap_get_conn: Checking Id: 0 [ldap3] ldap_get_conn: Got Id: 0 [ldap3] attempting LDAP reconnection [ldap3] (re)connect to ldaps://radiustestwdc3.1632labor.local, authentication 0 [ldap3] setting TLS CACert File to /etc/raddb/certs/1632labor.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as cn=a160sa-freeradius,cn=Users,dc=1632labor,dc=local/abc321! to ldaps://radiustestwdc3.1632labor.local [ldap3] waiting for bind result ... [ldap3] Bind was successful [ldap3] performing search in dc=1632labor,dc=local, with filter (sAMAccountName=a160admin-hachmer) [ldap3] ldap_release_conn: Release Id: 0 [ldap3] user DN: CN=Tobias Hachmer,OU=1632User,DC=1632labor,DC=local [ldap3] (re)connect to ldaps://radiustestwdc3.1632labor.local, authentication 1 [ldap3] setting TLS CACert File to /etc/raddb/certs/1632labor.pem [ldap3] setting TLS Require Cert to demand [ldap3] bind as CN=Tobias Hachmer,OU=1632User,DC=1632labor,DC=local/abc123! to ldaps://radiustestwdc3.1632labor.local [ldap3] waiting for bind result ... [ldap3] Bind was successful [ldap3] user a160admin-hachmer authenticated succesfully +++[ldap3] returns ok Is the first ldap bind really necessary or can I configure in ldap module something like "bind as user" to avoid the requirement to have a service user account in AD? Regards, Tobias Hachmer
Tobias Hachmer wrote:
The Test MS AD Server has domain functional level "2008 R2" and quite default settings.
Active directory is not really an LDAP server. The reasons are complicated. It's almost an LDAP server, but it's different in critical ways.
In radiusd -X output the ldap module performs first the ldap bind with the identity which is configured in ldap module configuration. After that the ldap bind with user credentials provided in access-request packet: ... Is the first ldap bind really necessary or can I configure in ldap module something like "bind as user" to avoid the requirement to have a service user account in AD?
The first search is necessary to determine the User-DN to use for the second search. You can't get rid of the read-only admin account. If you set the LDAP-UserDN manually, you'll get rid of the first bind. But the server needs the admin account for LDAP to work. Alan DeKok.
participants (3)
-
Alan DeKok -
Fajar A. Nugraha -
Tobias Hachmer