Multiple (different) LDAP servers and authorisation
Hi all, I have been roped in to look over an issue we have with migrating from Novell to AD. What we would like to do while we in the transitional phase is check both the AD and Novell LDAP services for authorisation and authentication (usernames are completely different so no need to be concerned with username clashes). I have managed to setup authentication fall through without any real issues, but, authorisation is having issues. Just to clarify, if I only specify one of the LDAP servers everything works like a treat, so the actual ldap server definitions are working fine in their own right. If I have the authorisation section setup: group LDAP { vudc01 { notfound=2 ok=return } novell { notfound=2 ok=return } } (I have also tried variations without the group LDAP line) Things eventually fail and the last useful message (I think) from -X -f is: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user It's not entirely clear what the freeradius LDAP module is doing BUT it would appear that it looks over both authorisation assertions and takes the one with least rights, but, I am not sure. As I stated earlier authentication fall through works like a treat (if in the users file I don't specify an LDAP-Group authentication works). If I only specify 1 ldap server to do authentication and authorisation, everything works, its only when I try to do authorisation via LDAP-Group AND try to do authorisation fall through as documentation above do I start getting errors. Can anyone offer any advice or pointers? Cheers, Stewart -X -f output: rad_recv: Access-Request packet from host 127.0.0.1:32909, id=60, length=60 User-Name = "USERNAME" User-Password = "PASSWORD" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "USERNAME", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'o=vu ' radius_xlat: '(uid=UID)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=vu, with filter (uid=USERNAME) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns notfound for request 1 modcall: entering group redundant for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for USERNAME radius_xlat: '(samaccountname=USERNAME)' radius_xlat: 'dc=ad,dc=vu,dc=edu,dc=au' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ad,dc=vu,dc=edu,dc=au, with filter (samaccountname=USERNAME) rlm_ldap: No default NMAS login sequence rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user USERNAME authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "vudc01" returns ok for request 1 modcall: leaving group redundant (returns ok) for request 1 modcall: leaving group authorize (returns ok) for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 60 to 127.0.0.1 port 32909 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 60 with timestamp 46c24e67 Nothing to do. Sleeping until we see a request.
Stewart James wrote:
I have been roped in to look over an issue we have with migrating from Novell to AD.
Repeat after me: AD is not an LDAP server. It's not. It fakes it pretty well, but it's not.
As I stated earlier authentication fall through works like a treat (if in the users file I don’t specify an LDAP-Group authentication works). If I only specify 1 ldap server to do authentication and authorisation, everything works, its only when I try to do authorisation via LDAP-Group AND try to do authorisation fall through as documentation above do I start getting errors.
If you are trying to use LDAP to obtain the "known good" password from AD, it's impossible.
rlm_ldap: performing search in dc=ad,dc=vu,dc=edu,dc=au, with filter (samaccountname=USERNAME) .. rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
Nothing. i.e. The user was found, but *nothing* more than that was found.
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
The server doesn't know how to authenticate the user, so the user is rejected. Please explain a little more what you're trying to do, and what you expect to see where. Right now, you're trying to debug a solution. Instead, focus on the problem, and the solution may be simple (or impossible). Alan DeKok.
Hi Alan, Thanks for offering some help, no need to point out that in reality AD != True LDAP. Well and truly aware of it. Lets step through what we need. At the moment we have a large number of people that get their authentication/authorisation through the Radius server (VPN Service). There will be a period (over the next few months) where some people will have an account in AD and Novell, some will have just an account in Novell and some will have an account in AD. What we want to be able to do is allow users to continue using their systems without changing anything in their configuration and for the Radius server to see if they are a authorised user with valid credentials on the AD LDAP interface and if they are not in that, check the Novell LDAP Interface. I can: * Have the system perform authentication on the user to the AD system and if the user is notfound, it will then check for the user on the Novell system - providing I do not specify and LDAP-Group requirement in the Users file e.g. Just authentication not authorisation. * Have the system perform authentication and authorisation on a given user providing I only configure one of the Directory Services (e.g. only list the AD server for both authentication and authorisation) SO it is only in the authorisation area I am having problems. Does that make more sense? Cheers, Stewart -----Original Message----- From: freeradius-users-bounces+stewart.james=vu.edu.au@lists.freeradius.org [mailto:freeradius-users-bounces+stewart.james=vu.edu.au@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, 15 August 2007 12:16 PM To: FreeRadius users mailing list Subject: Re: Multiple (different) LDAP servers and authorisation Stewart James wrote:
I have been roped in to look over an issue we have with migrating from Novell to AD.
Repeat after me: AD is not an LDAP server. It's not. It fakes it pretty well, but it's not.
As I stated earlier authentication fall through works like a treat (if in the users file I don’t specify an LDAP-Group authentication works). If I only specify 1 ldap server to do authentication and authorisation, everything works, its only when I try to do authorisation via LDAP-Group AND try to do authorisation fall through as documentation above do I start getting errors.
If you are trying to use LDAP to obtain the "known good" password from AD, it's impossible.
rlm_ldap: performing search in dc=ad,dc=vu,dc=edu,dc=au, with filter (samaccountname=USERNAME) .. rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
Nothing. i.e. The user was found, but *nothing* more than that was found.
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
The server doesn't know how to authenticate the user, so the user is rejected. Please explain a little more what you're trying to do, and what you expect to see where. Right now, you're trying to debug a solution. Instead, focus on the problem, and the solution may be simple (or impossible). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Further to my previous email I have gained a better understanding for the situation, as I said in my first post - I have been roped in, so this is my introduction to Radius, specifically freeradius - nothing like being thrown in the deep end to learn a new service. :) What I have realised is that there are 2 ways that authorisation appear to be called for LDAP. One way is to name the LDAP modules in the authorise section. The other way appears to be through the LDAP-Group in the users file and letting the "files" module then call the LDAP module. If I have anything incorrect in the above statement please let me know. Now. With that in mind I can simplify by problem...I think. The working configuration as it stands is configured to use Auth-Type LDAP as defined in the usersfile with appropriate LDAP-Groups e.g.: DEFAULT Auth-Type = LDAP, LDAP-Group == "SomeGroup" Fall-Through = Yes There is no mention of the ldap server (novell) in the authorise section of the radiusd.conf file. This leads me to believe (and looking at -X -f output) that when an access request is made, the radius server does through the authorise section first, hits the files module, the files module then sees the LDAP-Group and calls the LDAP module and checks for the group. If I don’t have that correct, please feel free to correct me. Assuming I do have that correct, the behaviour I am seeing is that the eventual call to the LDAP module for checking the group does not seem to allow being configured to fall through to another ldap server if the first ldap server does not yield a successful result. Thoughts? Stewart :) -----Original Message----- From: freeradius-users-bounces+stewart.james=vu.edu.au@lists.freeradius.org [mailto:freeradius-users-bounces+stewart.james=vu.edu.au@lists.freeradius.org] On Behalf Of Stewart James Sent: Wednesday, 15 August 2007 1:49 PM To: FreeRadius users mailing list Subject: RE: Multiple (different) LDAP servers and authorisation Hi Alan, Thanks for offering some help, no need to point out that in reality AD != True LDAP. Well and truly aware of it. Lets step through what we need. At the moment we have a large number of people that get their authentication/authorisation through the Radius server (VPN Service). There will be a period (over the next few months) where some people will have an account in AD and Novell, some will have just an account in Novell and some will have an account in AD. What we want to be able to do is allow users to continue using their systems without changing anything in their configuration and for the Radius server to see if they are a authorised user with valid credentials on the AD LDAP interface and if they are not in that, check the Novell LDAP Interface. I can: * Have the system perform authentication on the user to the AD system and if the user is notfound, it will then check for the user on the Novell system - providing I do not specify and LDAP-Group requirement in the Users file e.g. Just authentication not authorisation. * Have the system perform authentication and authorisation on a given user providing I only configure one of the Directory Services (e.g. only list the AD server for both authentication and authorisation) SO it is only in the authorisation area I am having problems. Does that make more sense? Cheers, Stewart -----Original Message----- From: freeradius-users-bounces+stewart.james=vu.edu.au@lists.freeradius.org [mailto:freeradius-users-bounces+stewart.james=vu.edu.au@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, 15 August 2007 12:16 PM To: FreeRadius users mailing list Subject: Re: Multiple (different) LDAP servers and authorisation Stewart James wrote:
I have been roped in to look over an issue we have with migrating from Novell to AD.
Repeat after me: AD is not an LDAP server. It's not. It fakes it pretty well, but it's not.
As I stated earlier authentication fall through works like a treat (if in the users file I don’t specify an LDAP-Group authentication works). If I only specify 1 ldap server to do authentication and authorisation, everything works, its only when I try to do authorisation via LDAP-Group AND try to do authorisation fall through as documentation above do I start getting errors.
If you are trying to use LDAP to obtain the "known good" password from AD, it's impossible.
rlm_ldap: performing search in dc=ad,dc=vu,dc=edu,dc=au, with filter (samaccountname=USERNAME) .. rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
Nothing. i.e. The user was found, but *nothing* more than that was found.
auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
The server doesn't know how to authenticate the user, so the user is rejected. Please explain a little more what you're trying to do, and what you expect to see where. Right now, you're trying to debug a solution. Instead, focus on the problem, and the solution may be simple (or impossible). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, 2007-08-15 at 15:36 +1000, Stewart James wrote:
What I have realised is that there are 2 ways that authorisation appear to be called for LDAP. One way is to name the LDAP modules in the authorise section. The other way appears to be through the LDAP-Group in the users file and letting the "files" module then call the LDAP module.
Sort of. If you had: authorize { preprocess files other Autz-Type FOO { moduleX } } authenticate { Auth-Type MS-CHAP { mschap } ....etc... } ...the flow is: 1. call "preprocess" 2. call "files" 3. call "other" 4. if an only if Autz-Type is set, do a 2nd pass through the matching Autz-Type stanza 5. Call one and only one module from the authenticate section to execute the authentication algorithm Alan has already hinted at this, but - you will not be able to get the plaintext password out of AD. Your password checking options against AD are limited to precisely two: 1. For PAP, you can authenticate the user by asking the LDAP module to to an LDAP simple bind with the pap username/password 2. For MS-CHAP, you install samba, join the domain, and use the "ntlm_auth" helper binary in the mschap module Which of the two do you want to do, because that will impact the next bit.
Thanks Phil
1. For PAP, you can authenticate the user by asking the LDAP module to to an LDAP simple bind with the pap username/password 2. For MS-CHAP, you install samba, join the domain, and use the "ntlm_auth" helper binary in the mschap module
Option 1 is the way things are being handled at the moment (LDAP simple bind) and I should probably mention no radius specific schema. Half my problem here is that I am totally new to radius of any type, but, Alan's mention before of retrieving the password had me start to look at how things are being done at the moment. I was nicely confused because the current configuration does check for group memberships on the Novell LDAP server BUT it had no lines in the authorize section saying to actually check for groups. This is when I came to the conclusion that LDAP-Group == "something" was this funky lookup for authorisation by files detecting the LDAP-Group directive and getting the ldap module to do a lookup. I have also learnt that the LDAP module also sets up direct access to the ldap servers, so AD-LDAP-Group and Novell-LDAP-Group can be referenced in the users file e.g. DEFAULT Auth-Type=LDAP, AD-LDAP-Group == "somegoup" Pass-Through=Yes DEFAULT Auth-Type=LDAP, Novell-LDAP-Group == "somegoup" Pass-Through=Yes And with a authenticate section like: authenticate { ... Auth-Type LDAP { AD { notfound=2 } Novell { notfound=2 } } ... } This does have the desired effect, if I log into the system with an AD user/pass (who is in "somegroup") I can login, if I authenticate with a Novell user/pass, it fails on the first "DEFAULT" entry, but, passes down to the novell entry. The Auth-Type LDAP section handles itself quite nicely for authentication and does a search for DN and if not found failes down to the Novell server. Of course if/when it finds the users DN, it then does an LDAP Simple bind. If I set it up so there is just one line in the users file: DEFAULT Auth-Type=LDAP, LDAP-Group == "somegoup" Pass-Through=Yes Radius only checks the first ldap server (configured in the module section). If it fails (e.g. the first ldap server is Novell and you are trying to authenticate an AD user), it never goes on to check any other servers. And that is just about the top to bottom of my entire freeradius knowledge. I am now down to trying to figure out how to control the LDAP-Group membership lookup in a way that does not mean adding additional entries to the users file, I get the feeling this would not scale too well and that I would not be able to give any redundancy, either that or there would need to be a "DEFAULT" entry for each LDAP server (So if you have 4 AD servers and 4 novell servers that would be a total of 8 entries in the users file) The above solution would probably work just fine for our purposes - we are only talking about a 6 month window of having both directory services - I always like to try and be complete, if only for someone else doing something similar in 5 years time :) I also have to apoligise, I am at home with "outlook web^H^H^HIE access", so I hope things comes out correctly...of course any spelling mistakes are purely the fault of the webmail client ;) Cheers, Stewart
participants (3)
-
Alan DeKok -
Phil Mayers -
Stewart James