Date: Thu, 05 Jan 2006 17:07:30 -0500 From: Gary Algier <gaa@ulticom.com> Subject: Re: LDAP scope To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <43BD98A2.7000401@ulticom.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Stefan Adams wrote:
Hi!
Is it possible to specify a basedn of "dc=example,dc=com" with a scope of "sub" so that my search filters can apply to both "ou=People" and "ou=Computers" for example? It seems from my testing that the scope is "one" by default. From my experience it is a scope of "sub" by default. My people are
Yup... It worked as sub for me! Was I dreaming or stupid, I dunno. But I'm glad you told me sub should work cuz then I tried it again.
in the data store like: dn: uid=gaa,ou=people,dc=ulticom,dc=com and my ldap section of radius.conf is: ldap { server = "ldap.ulticom.com" basedn = "dc=ulticom,dc=com" filter = "(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))" do_xlat = yes base_filter = "(objectclass=*)" start_tls = no access_attr = "uid" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 }
The reason I would like to do this is to have the check box in Windows XP that says "Authenticate as computer..." checked. Doing this, FreeRADIUS is first presented with the credentials of the computer (host/name). Since I already have a computer account in ou=Computers, I figure I'd just add a cn=host/name attribute and modify the filter to be (|(uid=%{User-Name})(cn=%{User-Name})). But this can only work with a basedn of "dc=example,dc=com" and a scope of sub.
The thing to watch out for is the actual LDAP lookup may not be what you think. Without special regex matches or other tricks it will only lookup your hostname. For instance with a user of "gaa" on host "malachite", the supplied user value is "MALACHITE\GAA". This then results in an LDAP lookup of (from radiusd -X): ----------------------------------------------------------------------------- rlm_ldap: performing user authorization for MALACHITE\gaa radius_xlat: '(&(objectclass=person)(uid=MALACHITE))' radius_xlat: 'dc=ulticom,dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE)) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 -----------------------------------------------------------------------------
I tried to handle it with this:
hints file: ... DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)\\\\(.*)" Hint = "8021XUSER", Stripped-User-Name = `${2}` ... users file: ... DEFAULT Hint == "8021XUSER" Fall-Through = 1 ...
This strips the hostname off, mostly. I see it do several "uid=gaa" lookups, then one "uid=MALACHITE" and then it fails. If you get it to work, let me know. All I want to do is lookup the user.
I haven't tried the hints or users file method, but here's how I do it and so far everything is working perfectly: FreeRADIUS 1.1.0-pre0 (snapshot-20051220) Windows XP SP2, 802.1x, EAP-PEAP, MS-CHAPv2 radiusd.conf: proxy_requests = no $INCLUDE ${confdir}/proxy.conf modules { unix { radwtmp = ${logdir}/radwtmp } mschap { authtype = MS-CHAP use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } ldap { server = "ldap.borgia.com" identity = "cn=Manager,dc=borgia,dc=com" password = Manager's password basedn = "dc=borgia,dc=com" filter = "(|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}}))" base_filter = "(objectclass=radiusprofile)" tls { ... } access_attr = "dialupAccess" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 auto_header = no access_attr_used_for_allow = yes } eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = whatever private_key_file = /etc/1x/server.pem certificate_file = /etc/1x/server.pem CA_file = /etc/1x/root.pem dh_file = /etc/1x/DH random_file = /etc/1x/random include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes } mschapv2 { } } realm ntdomain { format = prefix delimiter = "\\" } preprocess { : with_ntdomain_hack = no : } } authorize { preprocess ntdomain eap ldap } authenticate { Auth-Type MS-CHAP { mschap } eap } clients.conf: client 172.16.16.0/24 { secret = whatever shortname = ap } client 172.16.254.0/24 { secret = whatever shortname = server } proxy.conf: realm LOCAL { type = radius authhost = LOCAL accthost = LOCAL } realm DEFAULT { type = radius authhost = LOCAL accthost = LOCAL } [ SSID Authorization (If I want to autz a user via 802.1x to an existing LDAP based on which connecting-to SSID): modules { ldap { filter = "(&(|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}}))(radiusCalledStationId=%{Called-Station-ID}))" } attr_rewrite getssid { attribute = Called-Station-Id # may be "packet", "reply", "proxy", "proxy_reply" or "config" searchin = packet # Strip the MAC Address out of the Called-Station-ID # Resulting in just the SSID # My AP sends the:mac:add:ress:and:the:SSID # All I want is the SSID searchfor = ".................:" replacewith = "" ignore_case = yes new_attribute = no # max_matches = 10 # ## If set to yes then the replace string will be appended to th # append = no } } authorize { : eap getssid ldap : } Windows XP: Apply this Pre-SP3 Hotfix: http://support.microsoft.com/?kbid=885453 Windows Network Connection Properties: Preferred networks, [SSID] Properties: Association: Network Auth: WPA Data Enc: AES Authentication: EAP Type: PEAP [X] Authenticate as computer when computer information is available (IF PC IS JOINED TO DOMAIN) [ ] Authenticate as computer when computer information is available (IF NOT JOINED) Properties: EAP-MS-CHAP v2 Configure: [X] Automatically use my Windows logon name and Password (IF PC IS JOINED TO DOMAIN) [ ] Automatically use my Windows logon name and Password (IF NOT JOINED) [X] Enable Fast Reconnect
If you want to use the hostname, how will you match the password? What credentials are you expecting it to pass? I was under the assumption that when you select "Authenticate as computer..." it expects to use certificates (I may be wrong here).
When the PC is joined to a Samba domain, a computer account is created with uid=hostname$ and sambaNTPassword=xxxxxxxxx When you authenticate as computer, windows sends host/hostname as the User-Name and the the password that, when encrypted, matches the sambaNTPassword. This has successfully connected me to 802.1x (Wired and WPA wireless) as computer when joined to the domain. This allows me to login to the domain using a domain account never before used on that computer so that it is not cached. I'm sure the significance of this can be realized.
The format of the password when using the Windows domain style login is the Windows "encrypted" format (actually a hash, not encrypted, but you still can't recreate the clear text password). The the default configuration, this value is matched against the LDAP attribute "sambaNTPassword". This assumes that you are already using Samba for SMB/CIFS access. (I am). |---> Of course!!! :)
Thanks! Stefan
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
Nielsen's First Law of Computer Manuals: People don't read documentation voluntarily.
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 9, Issue 23 ***********************************************
participants (1)
-
Stefan Adams