Re: Problem with limiting users to group in Active Directory
Hi guys, I am still having problems to check if user is member of group... here is cut from logs where is comparison: (31) ldap1-vpn-student: EXPAND (sAMAccountName=%{User-Name}) (31) ldap1-vpn-student: --> (sAMAccountName=erik.frangez1) (31) ldap1-vpn-student: Performing search in "ou=um,dc=loki,dc=um,dc=si" with filter "(sAMAccountName=erik.frangez1)", scope "sub" (31) ldap1-vpn-student: Waiting for search result... (31) ldap1-vpn-student: User object found at DN "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" rlm_ldap (ldap1-vpn-student): Released connection (0) (31) [ldap1-vpn-student] = ok (31) } # redundant = ok (31) policy check_ldap_group_vpn { (31) if (&ldap1-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") { (31) Searching for user in group "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si" rlm_ldap (ldap1-student-um): Reserved connection (0) (31) Using user DN from request "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" rlm_ldap (ldap1-student-um): Released connection (0) (31) User is not a member of "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si" (31) if (&ldap1-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") -> FALSE (31) elsif (&ldap2-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") { (31) Searching for user in group "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si" rlm_ldap (ldap2-student-um): Reserved connection (0) (31) Using user DN from request "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" rlm_ldap (ldap2-student-um): Released connection (0) (31) User is not a member of "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si" (31) elsif (&ldap2-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") -> FALSE (31) else { (31) [reject] = reject (31) } # else = reject (31) } # policy check_ldap_group_vpn = reject (31) } # Autz-Type LDAPS-VPN-STUDENT = reject If I run ldapsearch we could see that user is member of group, here: # IDM_VPN, Groups, QUEST, UM, loki.um.si dn: CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si objectClass: top objectClass: group cn: IDM_VPN description:: U2t1cGluYSBqZSBuYW1lbmplbmEgZG9zdG9wdSDFoXR1ZGVudG92IGRvIHN0b3Jp dGV2IFZQTi4gWiBuam8gdXByYXZsamEgSURNLg== member: CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si distinguishedName: CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si instanceType: 4 whenCreated: 20211118102555.0Z Please help me! Best, Erik On 11/29/21 9:38 PM, Alan DeKok wrote:
And I didn't notice in my last reply...
don't email me off-list. The purpose of the list is to let everyone ELSE see what problems are being solved. Email the list.
Any further emails sent directly to me will be ignored.
On Nov 29, 2021, at 3:07 PM, Erik Frangež <erik@frangez.net> wrote:
Can you please help me? Thank you!
-------- Posredovano sporočilo -------- Zadeva: Re: Problem with limiting users to group in Active Directory Datum: Sun, 28 Nov 2021 21:45:47 +0100 Od: Erik Frangež <erik@frangez.net> Za: Alan DeKok <aland@deployingradius.com>
Hi Alan,
here is whole log for one attempt:
(74) Received Access-Request Id 42 from 164.8.15.42:54972 to 164.8.100.71:21812 length 71 (74) User-Name = "erik.frangez1" (74) User-Password = "*******" (74) Service-Type = Authenticate-Only (74) NAS-Port = 0 (74) NAS-IP-Address = 164.8.15.40 (74) # Executing section authorize from file /etc/raddb/sites-enabled/guard_vpn_student (74) authorize { (74) suffix: Checking for suffix after "@" (74) suffix: No '@' in User-Name = "erik.frangez1", looking up realm NULL (74) suffix: Found realm "NULL" (74) suffix: Adding Stripped-User-Name = "erik.frangez1" (74) suffix: Adding Realm = "NULL" (74) suffix: Authentication realm is LOCAL (74) [suffix] = ok (74) guard_vpn_student_file: users: Matched entry DEFAULT at line 1 (74) [guard_vpn_student_file] = ok (74) } # authorize = ok (74) Using Autz-Type LDAPS-VPN-STUDENT (74) # Executing group from file /etc/raddb/sites-enabled/guard_vpn_student (74) Autz-Type LDAPS-VPN-STUDENT { (74) redundant { (74) ldap1-vpn-student: EXPAND (sAMAccountName=%{User-Name}) (74) ldap1-vpn-student: --> (sAMAccountName=erik.frangez1) (74) ldap1-vpn-student: Performing search in "ou=um,dc=loki,dc=um,dc=si" with filter "(sAMAccountName=erik.frangez1)", scope "sub" (74) ldap1-vpn-student: Waiting for search result... (74) ldap1-vpn-student: User object found at DN "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" (74) [ldap1-vpn-student] = ok (74) } # redundant = ok (74) policy check_ldap_group_vpn_test { (74) if (ldap1-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") { (74) if (ldap1-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") -> FALSE (74) elsif (ldap2-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") { (74) elsif (ldap2-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") -> FALSE (74) else { (74) [reject] = reject (74) } # else = reject (74) } # policy check_ldap_group_vpn_test = reject (74) } # Autz-Type LDAPS-VPN-STUDENT = reject (74) Invalid user: [erik.frangez1] (from client guard port 0) (74) Using Post-Auth-Type Reject (74) Post-Auth-Type sub-section not found. Ignoring. (74) Delaying response for 1.000000 seconds (74) Sending delayed response (74) Sent Access-Reject Id 42 from 164.8.100.71:21812 to 164.8.15.42:54972 length 20 (74) Cleaning up request packet ID 42 with timestamp +19
User is part of group IDM_VPN on domain LOKI...
Thank you for help!
Best, Erik
On 11/28/21 7:33 PM, Alan DeKok wrote:
On Nov 28, 2021, at 12:32 PM, Erik Frangež via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am having problems with configuring Radius authentication limiting users to group in Active directory.
Here is configuration of LDAP:
We don't need to see that.
Read http://wiki.freeradius.org/list-help
In sites-enabled for radius, I have specify this:
We don't need to see that, either.
Authentication is not working. Here are logs:
Part of the logs. But whatever...
rlm_ldap (ldap1): Reserved connection (0) (392) ldap1: EXPAND (sAMAccountName=%{User-Name}) (392) ldap1: --> (sAMAccountName=user) (392) ldap1: Performing search in "ou=ou,dc=domain,dc=dc,dc=dc" with filter "(sAMAccountName=user)", scope "sub" (392) ldap1: Waiting for search result... (392) ldap1: User object found at DN "..." rlm_ldap (ldap1): Released connection (0) (392) [ldap1] = ok (392) } # redundant = ok (392) policy check_ldap_group_vpn { (392) if (&ldap1-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") { (392) Searching for user in group "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"
That seems wrong. "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" ? Why the repetition?
The default configuration works. The file mods-available/ldap has detailed instructions for getting it working with Active Directory.
Follow the instructions, and it should work.
User is member of group. Same configuration we are having for other domain and its working.
Is it *exactly* the same? i.e. with the same "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" repetition?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Nov 30, 2021, at 4:06 PM, Erik Frangež via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am still having problems to check if user is member of group... here is cut from logs where is comparison:
Unfortunately it's difficult to help you here. FreeRADIUS just uses the same LDAP libraries as ldapsearch. If both FreeRADIUS and ldapsearch are configured the same, then both will work. If they're configured differently, then one will work and the other won't work.
(31) ldap1-vpn-student: EXPAND (sAMAccountName=%{User-Name}) (31) ldap1-vpn-student: --> (sAMAccountName=erik.frangez1) (31) ldap1-vpn-student: Performing search in "ou=um,dc=loki,dc=um,dc=si" with filter "(sAMAccountName=erik.frangez1)", scope "sub" (31) ldap1-vpn-student: Waiting for search result... (31) ldap1-vpn-student: User object found at DN "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" rlm_ldap (ldap1-vpn-student): Released connection (0) (31) [ldap1-vpn-student] = ok (31) } # redundant = ok (31) policy check_ldap_group_vpn { (31) if (&ldap1-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") {
You don't need the [*]. Just: if (&ldap1-student-um-LDAP-Group == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") { It won't change the results from AD, but it won't hurt
(31) Searching for user in group "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si" rlm_ldap (ldap1-student-um): Reserved connection (0) (31) Using user DN from request "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" rlm_ldap (ldap1-student-um): Released connection (0) (31) User is not a member of "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si"
The message is being printed by FreeRADIUS. But the "not found" answer is being returned from Active Directory. There's really little more to do, other than change the FreeRADIUS configuration until AD accepts the search.
If I run ldapsearch we could see that user is member of group, here:
Is this run on the *same* machine as FreeRADIUS? With the *same* credentials? One common mistake that people make is to use some admin account for ldapsearch, and then an account with less permission for FreeRADIUS. The FreeRADIUS account then doesn't have permission to view the user entries, and AD returns "not found" instead of "no permission". Make sure that the parameters passed to ldapsearch are taken directly from the FreeRADIUS configuration. If you're doing anything else, you're not testing the right things. And yes, this is frustrating. It's difficult for us to know what else to do. I've set this up many, many, times. And it always works after some minor initial testing. If it's not working for you, it's very difficult to debug via email. Alan DeKok.
participants (2)
-
Alan DeKok -
Erik Frangež