ntlm_auth & ldap authorize questions
Hello list, I set up a testing environment with an virtual Windows Server 2008 R2 server with Active Directory Role and a virtual freeradius server (v2.1.12). For the authentication I use ntlm_auth (followed instructions on http://deployingradius.com/documents/configuration/active_directory.html) which works great. I understand that I cannot authorize using ntlm_auth so I want to set up the ldap module for authorization, e.g. perform checks on group memberships. The ldap bind with the builtin Administrator and also the ldap search in the basedn for the builtin account Administrator is successful: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 42796, id=160, length=83 User-Name = "Administrator" User-Password = "abc123!" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x2f21233db6232800e133f6891b78309d # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "Administrator", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok [ldap] performing user authorization for Administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> Administrator [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=Administrator) [ldap] expand: cn=Users,dc=test,dc=local -> cn=Users,dc=test,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=test,dc=local, with filter (cn=Administrator) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user Administrator authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=Administrator [ntlm_auth] expand: --password=%{User-Password} -> --password=abc123! Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 160 to 127.0.0.1 port 42796 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 160 with timestamp +380 Ready to process requests. My first problem is that I cannot do the ldap bind with any other user as the builtin Administrator. I created a new user freeradius in cn=Users,dc=test,dc=local where the builtin Administrator also is located but the bind fails: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 44706, id=162, length=83 User-Name = "Administrator" User-Password = "abc123!" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x6b50ad7469b14cd74c9fcb7c41d93cc1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "Administrator", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok [ldap] performing user authorization for Administrator [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> Administrator [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=Administrator) [ldap] expand: cn=Users,dc=test,dc=local -> cn=Users,dc=test,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to testwdc.test.local:389, authentication 0 [ldap] bind as cn=freeradius,cn=Users,dc=test,dc=local/abc234! to testwdc.test.local:389 [ldap] waiting for bind result ... [ldap] LDAP login failed: check identity, password settings in ldap section of radiusd.conf [ldap] (re)connection attempt failed [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns fail Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> Administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 162 to 127.0.0.1 port 44706 Waking up in 4.9 seconds. Cleaning up request 0 ID 162 with timestamp +6 Ready to process requests Question: Are there any permission requirements for binddn user or has anyone a hint why the ldap bind with any other user as builtin Administrator fails? Also the ldap search for any other user as the builtin Administrator fails: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 54411, id=98, length=80 User-Name = "freeradius" User-Password = "abc234!" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x5158c0c680156b9feda64a7ac17c880e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "freeradius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok [ldap] performing user authorization for freeradius [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> freeradius [ldap] expand: (cn=%{%{Stripped-User-Name}:-%{User-Name}}) -> (cn=freeradius) [ldap] expand: cn=Users,dc=test,dc=local -> cn=Users,dc=test,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=Users,dc=test,dc=local, with filter (cn=freeradius) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=freeradius [ntlm_auth] expand: --password=%{User-Password} -> --password=abc234! Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 98 to 127.0.0.1 port 54411 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 98 with timestamp +32 Ready to process requests. Thanks in advance for pointing me to the right direction. Regards, Tobias Hachmer
I set up a testing environment with an virtual Windows Server 2008 R2 server with Active Directory Role and a virtual freeradius server (v2.1.12). For the authentication I use ntlm_auth (followed instructions on http://deployingradius.com/documents/configuration/active_directory.html) which works great. I understand that I cannot authorize using ntlm_auth so I want to set up the ldap module for authorization, e.g. perform checks on group memberships.
I (sort of) solved exactly the same problem. I will post my solution in "MSSCHAP auth + LDAP authorizaton" shortly. Stay tuned. A.
Am 04.04.2012 12:30, schrieb Andres Septer:
I (sort of) solved exactly the same problem. I will post my solution in "MSSCHAP auth + LDAP authorizaton" shortly. Stay tuned.
# Note to Andres Septer: Thanks for your reply, but I fixed my problem by now without giving the ldap bind user any specific rights. (http://www.advproxy.net/ldapads.html) I did the following: # ldapsearch -h testwdc.test.local -D cn=Administrator,cn=Users,dc=test,dc=local -w abc123! -b dc=test,dc=local # Free RADIUS, Users, test.local dn: CN=Free RADIUS,CN=Users,DC=test,DC=local objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Free RADIUS sn: RADIUS givenName: Free distinguishedName: CN=Free RADIUS,CN=Users,DC=test,DC=local instanceType: 4 whenCreated: 20120404112536.0Z whenChanged: 20120404112536.0Z displayName: Free RADIUS uSNCreated: 20580 uSNChanged: 20585 name: Free RADIUS objectGUID:: Wc/75uS3EEOkigLBcBPVQw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 129780123362628750 primaryGroupID: 513 objectSid:: AQUAAAAAAAUVAAAAXrAss/fHBMRa4JZ1UgQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: freeradius sAMAccountType: 805306368 userPrincipalName: freeradius@test.local objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local dSCorePropagationData: 16010101000000.0Z and recognized that the CN of the user I want to use for ldap bind is "CN=Free RADIUS" but I assumed that the CN is like the sAMAccountName. So I changed the identity in /etc/freeradius/modules/ldap from identity = "cn=freeradius,cn=Users,dc=test,dc=local" to identity = "cn=Free RADIUS,cn=Users,dc=test,dc=local" and the filter from filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})" (default was uid) to filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})" additionally I set the groupmembership_filter accordingly for active directory: groupname_attribute = cn groupmembership_filter = "(&(objectClass=group)(member=%{control:Ldap-UserDn}))" That's what I've done and now it is working like a charme. Regards, Tobias Hachmer
participants (2)
-
Andres Septer -
Tobias Hachmer