AD group membership
I have successfully configured freeradius to authenticate against AD using the winbind socket (not the ntlm_auth command). I find myself needing to also authorize based on AD group membership, more precisely based on negative group membership (We maintain a "deny wireless" group). It seems like I could use the LDAP module and test for the group there, but I noticed that the ntlm_auth command supports some notion of group checking through the '--require-membership-of=STRING' option. It follows that winbind has access to AD groups and could be used to check. I haven't been able to find any guidance on the freeradius.org documentation site, so I was wondering if there is a preferred method for AD-based group checking when using winbind. -- Munroe Sollog Senior Network Engineer munroe@lehigh.edu
On Jan 13, 2020, at 5:02 PM, Munroe Sollog <mus3@lehigh.edu> wrote:
I have successfully configured freeradius to authenticate against AD using the winbind socket (not the ntlm_auth command).
That's good.
I find myself needing to also authorize based on AD group membership, more precisely based on negative group membership (We maintain a "deny wireless" group). It seems like I could use the LDAP module and test for the group there, but I noticed that the ntlm_auth command supports some notion of group checking through the '--require-membership-of=STRING' option.
That requires membership in a particular group. It does *not* do negative group checking.
It follows that winbind has access to AD groups and could be used to check. I haven't been able to find any guidance on the freeradius.org documentation site, so I was wondering if there is a preferred method for AD-based group checking when using winbind.
The --require-membership-of option is *only* good if you need to require membership of one, and only one group. If you need to check multiple groups, it doesn't work. If you need to do negative group checking, it doesn't work. Alan DeKok.
Using this as a guide: https://wiki.freeradius.org/modules/Rlm_ldap#group-support I configured the ldap module for my AD server. However, I was unsure regarding the post-auth section in the guide. I ended up adding a "function" to the policy.d folder (not sure if that's a debian-only folder or not) and referencing that function as the first line in the authorize section of my enabled site. I recognize there are many ways to get to the same result, but I thought I'd ask the experts, is there a reason to use the post-auth section rather than the authorize section? Seems like the group check naturally fits into "is this user authorized to use this service". On Mon, Jan 13, 2020 at 5:19 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jan 13, 2020, at 5:02 PM, Munroe Sollog <mus3@lehigh.edu> wrote:
I have successfully configured freeradius to authenticate against AD
using
the winbind socket (not the ntlm_auth command).
That's good.
I find myself needing to also authorize based on AD group membership, more precisely based on negative group membership (We maintain a "deny wireless" group). It seems like I could use the LDAP module and test for the group there, but I noticed that the ntlm_auth command supports some notion of group checking through the '--require-membership-of=STRING' option.
That requires membership in a particular group. It does *not* do negative group checking.
It follows that winbind has access to AD groups and could be used to check. I haven't been able to find any guidance on the freeradius.org documentation site, so I was wondering if there is a preferred method for AD-based group checking when using winbind.
The --require-membership-of option is *only* good if you need to require membership of one, and only one group. If you need to check multiple groups, it doesn't work. If you need to do negative group checking, it doesn't work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Munroe Sollog Senior Network Engineer munroe@lehigh.edu
On Mon, 2020-01-13 at 17:02 -0500, Munroe Sollog wrote:
I haven't been able to find any guidance on the freeradius.org documentation site, so I was wondering if there is a preferred method for AD-based group checking when using winbind.
LDAP. There's basic group lookup in rlm_winbind in v4, but that's not available in v3. Even so, LDAP is still recommended. -- Matthew
participants (3)
-
Alan DeKok -
Matthew Newton -
Munroe Sollog