differentiate authoriztion/ authentication in separate ldap modules
Hello list, first of all a bit background about my environment: - CentOS 6.4 - FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51 - OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08) Here we use Microsoft Active Directory (not in our responsibility) for User Authentication. I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS authorization and (fallback) authentication, like: LDAP Master | -------------------------------------------------------------------------------- | | RADIUS Primary RADIUS Secondary local LDAP copy local LDAP copy All RADIUS authorization information are stored in the OpenLDAP DIT using RADIUS profiles. The usernames in OpenLDAP DIT and in Active Directory are the same. The normal scenario should be: - retrieve authorization from openldap dit (module ldap_openldap) - authenticate the user (password verification) against active directory (module ldap_ad) o if active directory server isn't reachable check password against module ldap_openldap Problem: After the module ldap_openldap has found the DN for the requesting user freeradius uses the same DN to bind against module ldap_ad. I know this can't work. Is there a possible solution for this using ldap? - Configure module ldap_ad to determine the DN of user again? - Rewrite DN? If not, would this work using ntlm_auth? Any help appreciated. Kind regards, Tobias Hachmer
Am Dienstag, 3. September 2013, 07:27:47 schrieb Hachmer, Tobias:
Hello list,
first of all a bit background about my environment:
- CentOS 6.4
- FreeRADIUS Version 2.1.12, for host x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51
- OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08)
Here we use Microsoft Active Directory (not in our responsibility) for User Authentication. I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS authorization and (fallback) authentication, like:
LDAP Master
--------------------------------------------------------------------------- -----
RADIUS Primary RADIUS Secondary local LDAP copy local LDAP copy
All RADIUS authorization information are stored in the OpenLDAP DIT using RADIUS profiles. The usernames in OpenLDAP DIT and in Active Directory are the same.
The normal scenario should be:
- retrieve authorization from openldap dit (module ldap_openldap)
- authenticate the user (password verification) against active directory (module ldap_ad)
o if active directory server isn't reachable check password against module ldap_openldap
Problem: After the module ldap_openldap has found the DN for the requesting user freeradius uses the same DN to bind against module ldap_ad. I know this can't work.
Is there a possible solution for this using ldap?
- Configure module ldap_ad to determine the DN of user again?
- Rewrite DN?
If not, would this work using ntlm_auth?
Any help appreciated.
Kind regards, Tobias Hachmer
As far as I know it is not possible to use a ldap module to authenticate agains AD. See this page for protocol compatibility: http://deployingradius.com/documents/protocols/compatibility.html See also the setup guide for ntlm. The first lines say: "The clear-text passwords are unavailable through Active Directory, so we have to use Samba, and the ntlm_auth helper program". http://deployingradius.com/documents/configuration/active_directory.html Greetings, -- Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Hello Alan,
Hachmer, Tobias wrote: - Rewrite DN? You can rewrite the DN. That's why it's editable, as the LDAP-UserDn attribute.
How can I do this and how "magic" could I rewrite the DN? The local ldap DIT and the AD DIT are totally different (different OU structure). It is much more than rewrite the base DN. When there's no way to determine the DN in AD DIT again I think I can achieve this more easy using ntlm_auth because I just want to check the password against AD, am I right? Kind regards, Tobias Hachmer
On 4 Sep 2013, at 06:54, "Hachmer, Tobias" <Tobias.Hachmer@stadt-frankfurt.de> wrote:
Hello Alan,
Hachmer, Tobias wrote: - Rewrite DN? You can rewrite the DN. That's why it's editable, as the LDAP-UserDn attribute.
How can I do this and how "magic" could I rewrite the DN? The local ldap DIT and the AD DIT are totally different (different OU structure). It is much more than rewrite the base DN. When there's no way to determine the DN in AD DIT again I think I can achieve this more easy using ntlm_auth because I just want to check the password against AD, am I right?
Yes. update control { LDAP-BaseDN !* ANY } open_ldap.authorize open_ldap Or the other way around to auth against AD. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
How can I do this and how "magic" could I rewrite the DN? The local ldap DIT and the AD DIT are totally different (different OU structure). It is much more than rewrite the base DN. When there's no way to determine the DN in AD DIT again I think I can achieve this more easy using ntlm_auth because I just want to check the password against AD, am I right?
Yes.
update control { LDAP-BaseDN !* ANY } open_ldap.authorize open_ldap
Thanks Arran for the answer. I dropped the ldap module for AD and configured ntlm_auth to keep the freeradius config more simple. Then I have defined a new Auth-Type which does ntlm_auth and in case of reject it will fall back to the ldap module. (in case active directory server is not available) authorize { ... ldap_local ... } authenticate { ... Auth-Type AD { ntlm_auth { reject = 2 } if (reject) { ldap_local } } ... } For users who are in active directory I added a new radius profile which sets Auth-Type to "AD". Users who are only in local ldap, the module does this automatically. Kind regards. Tobias Hachmer
On 4 Sep 2013, at 13:10, "Hachmer, Tobias" <Tobias.Hachmer@stadt-frankfurt.de> wrote:
How can I do this and how "magic" could I rewrite the DN? The local ldap DIT and the AD DIT are totally different (different OU structure). It is much more than rewrite the base DN. When there's no way to determine the DN in AD DIT again I think I can achieve this more easy using ntlm_auth because I just want to check the password against AD, am I right?
Yes.
update control { LDAP-BaseDN !* ANY } open_ldap.authorize open_ldap
Thanks Arran for the answer. I dropped the ldap module for AD and configured ntlm_auth to keep the freeradius config more simple. Then I have defined a new Auth-Type which does ntlm_auth and in case of reject it will fall back to the ldap module. (in case active directory server is not available)
authorize { ... ldap_local ... }
authenticate { ... Auth-Type AD { ntlm_auth { reject = 2 } if (reject) { ldap_local } } ... }
For users who are in active directory I added a new radius profile which sets Auth-Type to "AD". Users who are only in local ldap, the module does this automatically.
Ah, fair enough. Just be aware that LDAP bind will be significantly faster than calling out to ntlm_auth. Doesn't matter if you've got fairly light auth traffic, but may be a factor if your server(s) are heaving loaded. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Hachmer, Tobias -
Michael Schwartzkopff