Migrating FR 3.0.19 from using WINBIND to LDAP for AD auth
Hello all I'm planning to migrate the AD authentication method we use from WINBIND/NTLM_AUTH to LDAP to be able to control who has access to use devices. I'm sensing that the way to do this is to disable the ntlm_auth module, configure the ldap module, enable the ldap module and then modify the site config to use ldap instead of ntlm_auth? Has anyone else done it and have a set of steps to follow that they are willing to share? Just trying to avoid reinventing the wheel. Thanks in advance ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail
On Fri, 2019-08-16 at 14:22 +0000, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users wrote:
I'm planning to migrate the AD authentication method we use from WINBIND/NTLM_AUTH to LDAP to be able to control who has access to use devices.
Are you confusing authentication and authorisation? How does changing the auth method alter who can get on?
I'm sensing that the way to do this is to disable the ntlm_auth module, configure the ldap module, enable the ldap module and then modify the site config to use ldap instead of ntlm_auth?
Using LDAP (with AD) for auth will restrict you to using PAP methods only. So basically TTLS/PAP.
Has anyone else done it and have a set of steps to follow that they are willing to share? Just trying to avoid reinventing the wheel.
Sounds like you just need to keep ntlm/winbind auth and add an LDAP lookup to check that the user authenticating is actually allowed on or not. -- Matthew
Hi Matthew
How does changing the auth method alter who can get on?
If I use NTLM_AUTH/WINBIND - it's harder to restrict access to a particular AD Group ("valid user, valid credentials = accept" versus LDAP: "valid user, valid credentials, correct group entry = accept") - no? Since I've read here over the past week or so everyone simply says "use LDAP" when the question of AD group restriction is posed - I got the impression that moving to LDAP would be the way to go... Cheers Jason ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail
Hi Jason Am 19.08.2019 um 08:29 schrieb WAGHORN, Jason (NHS BORDERS) via Freeradius-Users:
How does changing the auth method alter who can get on? Configure the LDAP module and insert group checks in the post-auth section as mentioned in the wiki: https://wiki.freeradius.org/modules/Rlm_ldap#group-support
If I use NTLM_AUTH/WINBIND - it's harder to restrict access to a particular AD Group ("valid user, valid credentials = accept" versus LDAP: "valid user, valid credentials, correct group entry = accept") - no?
AFAIR using ntlm_auth all you can do is provide a single the option "--require-membership-of" to the execution of "ntlm_auth = /usr/bin/ntlm_auth ..." in mods-available/mschap. However: If you need to permit more than one group or specific user attributes, overall using LDAP is just easier to do a post-auth check. This way you also clearly separate authentication from authorization which also helps during issues when you read debug logs since it will easily tell you if authentication OR authorization has caused a access-reject.
Since I've read here over the past week or so everyone simply says "use LDAP" when the question of AD group restriction is posed - I got the impression that moving to LDAP would be the way to go... Yes, for authorization it is "use LDAP". You are tied to ntlm_auth/libwbinfo in terms of authentication due to the clear-text passwords being unavailable through Active Directory.[1]
-- Mathieu [1] http://deployingradius.com/documents/configuration/active_directory.html
Yes, for authorization it is "use LDAP". You are tied to ntlm_auth/libwbinfo in terms of authentication due to the clear-text passwords being unavailable through Active Directory.[1]
Ah ha - so... when you/they say "Use LDAP" - it doesn't mean "Use LDAP exclusively"... In which case I build on the existing (working) configuration and add the extra (authorisation) check step using LDAP. Makes (more) sense now. ******************************************************************************************************************** This message may contain confidential information. If you are not the intended recipient please inform the sender that you have received the message in error before deleting it. Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation. NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services. For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail
On Mon, 2019-08-19 at 08:02 +0000, WAGHORN, Jason (NHS BORDERS) via Freeradius-Users wrote:
Yes, for authorization it is "use LDAP". You are tied to ntlm_auth/libwbinfo in terms of authentication due to the clear- text passwords being unavailable through Active Directory.[1]
Ah ha - so... when you/they say "Use LDAP" - it doesn't mean "Use LDAP exclusively"...
No. Use LDAP for group checking. Do auth with winbind (libwbclient or ntlm_auth).
In which case I build on the existing (working) configuration and add the extra (authorisation) check step using LDAP.
Yes. -- Matthew
participants (3)
-
Mathieu Simon (Lists) -
Matthew Newton -
WAGHORN, Jason (NHS BORDERS)