FreeRadius (version 2.1.12) + ntlm_auth (AD) authentication + LDAP authorization
Hi: I am running FreeRadius version 2.1.12 on a CentOS 6 machine. For authentication I am using AD (ntlm_auth) and this works create. In the the request the username is sent as just the plain username (ie: mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine. My problem is on the authorization side in which I am using LDAP to grab the groups a user is in. In order to authentication against ldap my bind DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I modify the User-Name or Stripped user name just for the LDAP authorization part so make it DOMAIN\username but keep it as is for the authentication part. Everything I have done so far ends up changing it for both authentication and authorization. (In /etc/raddb/sites-enabled/inner and default in the authorize section I have a update request Stripped-User-Name section. Since authorize runs before authenticate it modifies the user name for the authentications) Thanks
On 01/09/2013 12:43 AM, Matthew Ceroni wrote:
Hi:
I am running FreeRadius version 2.1.12 on a CentOS 6 machine.
For authentication I am using AD (ntlm_auth) and this works create. In the the request the username is sent as just the plain username (ie: mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine.
My problem is on the authorization side in which I am using LDAP to grab the groups a user is in. In order to authentication against ldap my bind DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I modify the User-Name or Stripped user name just for the LDAP
Don't modify the "User-Name" attribute; that can break certain auth types. It's not really clear what you want to do, but you can either edit the LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local attribute "Full-User-Name" in raddb/dictionary - see the comments in there about attribute numbers - then reference that in your LDAP filters.
Phil: Thanks for the response. My understanding of what was happening with LDAP was actually incorrect. I thought it was binding as the admin DN I provided and then re-binding as the user that is trying to authenticate. The message returned was "No known good password found for user". Which is just a WARNING and caused because AD doesn't return the password when querying via LDAP. So no big deal. It was actually doing what I wanted. Until things got a little strange. [ldap] performing user authorization for DOMAIN\usrtest [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> DOMAIN\5cusrtest [ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samAccountName=DOMAIN\5cusrtest) [ldap] expand: ou=DOMAIN OU,dc=domain,dc=local -> ou=DOMAIN OU,dc=domain,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=DOMAIN OU,dc=domain,dc=local, with filter (samAccountName=DOMAIN\5cusrtest) [ldap] object not found [ldap] search failed As you can see it says performing authorization for DOMAIN\usrtest but then says it is expanding User-Name to DOMAIN\5cusrtest. Where that 5c comes from I have no idea. Any thoughts? On Wed, Jan 9, 2013 at 3:27 AM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 01/09/2013 12:43 AM, Matthew Ceroni wrote:
Hi:
I am running FreeRadius version 2.1.12 on a CentOS 6 machine.
For authentication I am using AD (ntlm_auth) and this works create. In the the request the username is sent as just the plain username (ie: mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine.
My problem is on the authorization side in which I am using LDAP to grab the groups a user is in. In order to authentication against ldap my bind DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I modify the User-Name or Stripped user name just for the LDAP
Don't modify the "User-Name" attribute; that can break certain auth types.
It's not really clear what you want to do, but you can either edit the LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local attribute "Full-User-Name" in raddb/dictionary - see the comments in there about attribute numbers - then reference that in your LDAP filters. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
It appears that when Windows sends the username it sends it as DOMAIN\\username. The \\ causes the 5c to appear in the username. I confirmed this by using the radtest tool and specifying the username as DOMAIN\\username. A single \ causes the username to appear as DOMAINusername so that is why double \\ are required. Thanks On Wed, Jan 9, 2013 at 12:18 PM, Matthew Ceroni <matthewceroni@gmail.com>wrote:
Phil:
Thanks for the response. My understanding of what was happening with LDAP was actually incorrect. I thought it was binding as the admin DN I provided and then re-binding as the user that is trying to authenticate. The message returned was "No known good password found for user". Which is just a WARNING and caused because AD doesn't return the password when querying via LDAP. So no big deal. It was actually doing what I wanted.
Until things got a little strange.
[ldap] performing user authorization for DOMAIN\usrtest [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> DOMAIN\5cusrtest [ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samAccountName=DOMAIN\5cusrtest) [ldap] expand: ou=DOMAIN OU,dc=domain,dc=local -> ou=DOMAIN OU,dc=domain,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=DOMAIN OU,dc=domain,dc=local, with filter (samAccountName=DOMAIN\5cusrtest) [ldap] object not found [ldap] search failed
As you can see it says performing authorization for DOMAIN\usrtest but then says it is expanding User-Name to DOMAIN\5cusrtest. Where that 5c comes from I have no idea. Any thoughts?
On Wed, Jan 9, 2013 at 3:27 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
On 01/09/2013 12:43 AM, Matthew Ceroni wrote:
Hi:
I am running FreeRadius version 2.1.12 on a CentOS 6 machine.
For authentication I am using AD (ntlm_auth) and this works create. In the the request the username is sent as just the plain username (ie: mceroni) and the NT-domain (ie: DOMAIN1). And it authenticates fine.
My problem is on the authorization side in which I am using LDAP to grab the groups a user is in. In order to authentication against ldap my bind DN has to be DOMAIN\username (ie: DOMAIN1\mceroni). I am wondering how I modify the User-Name or Stripped user name just for the LDAP
Don't modify the "User-Name" attribute; that can break certain auth types.
It's not really clear what you want to do, but you can either edit the LDAP filters to hard-code the DOMAIN\ prefix, or define and use a local attribute "Full-User-Name" in raddb/dictionary - see the comments in there about attribute numbers - then reference that in your LDAP filters. - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html <http://www.freeradius.org/list/users.html>
On 01/09/2013 08:42 PM, Matthew Ceroni wrote:
It appears that when Windows sends the username it sends it as DOMAIN\\username.
The \\ causes the 5c to appear in the username. I confirmed this by using the radtest tool and specifying the username as DOMAIN\\username. A single \ causes the username to appear as DOMAINusername so that is why double \\ are required.
No, you're misunderstanding what is going on. "\" is the string escape character e.g. "\n" is "newline", "\t" is tab, etc/. So to put a "\" in a quoted string needs "\\". FreeRADIUS in debug mode is printing the same thing you would have to type. That is, windows is only sending "DOMAIN\username" "\" is then LDAP-escaped to \5c as per normal LDAP escaping rules. As to why it's not working - I seriously doubt that you actually have: sAMAccountNAme: DOMAIN\user ...in Active Directory. Are you sure this is what you have?
participants (2)
-
Matthew Ceroni -
Phil Mayers