How to return Filter-ID attribute value for the users in Active Directory?
Hi, I am able to do authentication and authorization of the users that are in Active Directory after FreeRadius and Active Directory integration. I am now testing in real test environment with Enterasys product (Switch) in which Policy manager is already configured to assign different roles to different users. Depending upon the Filter-ID attribute value returned by FreeRadius, Enterasys switch decides what role can be assigned to the user. In my understanding I know there is the way to achieve this goal if we have Ldap-Group so that we can use as: DEFAULT Ldap-Group == "Staff" Filter-ID := "Enterasys:version=1:policy=staff", Fall-Through = No But, How to do same like this for the users in Active Directory; How to return the Filter-ID attribute value if there is no group configured in Active Directory; there is just users listings who can be authenticated and authorized using the passwords provided. The main point is: I don't have any Group configured as Ldap-Group for staff or admin or for different types of users in Active Directory. I would really appreciate if someone can give me the idea on this. Thanks,
On 18/01/12 14:55, suggestme IT wrote:
DEFAULT Ldap-Group == "Staff" Filter-ID := "Enterasys:version=1:policy=staff", Fall-Through = No
But, How to do same like this for the users in Active Directory; How to return the Filter-ID attribute value if there is no group configured in Active Directory; there is just users listings who can be authenticated and authorized using the passwords provided.
The main point is: I don't have any Group configured as Ldap-Group for staff or admin or for different types of users in Active Directory.
Do you want to return the same filter group for everyone? If so, do this: DEFAULT Filter-Id := "value" ...or better, in the virtual server config: post-auth { update reply { Filter-Id := "value" } } If you want to return a different filter for different users, you will obviously need some kind of lookup table from user->filter. That will need to live somewhere.
There are different users under Staff, Administrators, Retirees, etc in active directory as: OU=Staff OU=Administrators OU=Retirees CN=users CN=users CN=users I have to return the filterID value for staff users as: Filter-Id := "Enterasys:version=1:policy=staff" Also, filterID value for Administrators users as: Filter-Id := "Enterasys:version=1:policy=Administrators" similarly for others.
If you want to return a different filter for different users, you will obviously need some kind of lookup table from user->filter. That will need to live somewhere.
How to do this? Can the lookup table be created inside Active Directory using the attribute? If so, how to return that user's filter attribute value that is created from Active Directory back to NAS again. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-va... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 18/01/12 16:04, suggestme wrote:
There are different users under Staff, Administrators, Retirees, etc in active directory as:
OU=Staff OU=Administrators OU=Retirees CN=users CN=users CN=users
Ok, so you want to look at the "OU" in the DN. The "ldap" module sets the value "Ldap-UserDN". You can match this. This is easiest in "unlang". For example, in sites-enabled/<name>: authorize { ... ldap # match the 2nd part of the DN with a regexp # e.g. # CN=foo,OU=bar,CN=com if (Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) { # store the regexp match in the control list update control { # This will be set to "bar" Tmp-String-1 := "%{1}" } } ... } post-auth { # now, read the value of Tmp-String-1 update reply { Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}" } }
Hi, I tried to return the value of Filter-ID as: authorize { ... ldap if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) { update control { Tmp-String-1 := "%{1}" } } ... } post-auth { update reply { Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}" } } In my active directory I have the attribute named "distinguishedName" which I am using inside "if" statement. If I use "Ldap-UserDN" attribute inside "if" statement (as suggested) it says: "No attribute named Ldap-UserDN". *Example*: In Active Directory "distinguishedName" attribute for the user is listed as: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com But, when I run in debug mode I see: while checking the "if" condition; it shows: ++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) ? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE ++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE *Why this "if" condition is being evaluated as FALSE?* And it returns the post-auth value as: Filter-Id = "Enterasys:version=1:policy=" It doesn't return anything as: staff, administrators, etc for policy. The part of debug mode output and radtest are as shown below: ##Debug mode output: #radiusd -X : rad_recv: Access-Request packet from host 127.0.0.1 port 43666, id=225, length=80 User-Name = "test" User-Password = "hello" NAS-IP-Address = IP Address NAS-Port = 0 Message-Authenticator = 0x8ab06794e7069587309aa626d315269e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [ldap] performing user authorization for test [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> test [ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (sAMAccountName=test) [ldap] expand: dc=example,dc=com -> dc=example,dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to server.example.com:389, authentication 0 [ldap] bind as cn=test,ou=Staff,ou=Employees,ou=Users,dc=example,dc=com/hello to server.example.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=example,dc=com, with filter (sAMAccountName=test) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] user test authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) ? Evaluating (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE ++? if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) -> FALSE ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = LDAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group LDAP {...} [ldap] login attempt by "test" with password "hello" [ldap] user DN: CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com [ldap] (re)connect to server.example.com:389, authentication 1 [ldap] bind as CN=test,OU=Staff,OU=Employees,OU=Users,DC=example,DC=com/hello to server.example.com:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user test authenticated succesfully ++[ldap] returns ok Login OK: [test] (from client localhost port 0) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} expand: Enterasys:version=1:policy=%{control:Tmp-String-1} -> Enterasys:version=1:policy= ++[reply] returns noop ++[exec] returns noop Sending Access-Accept of id 225 to 127.0.0.1 port 43666 Filter-Id = "Enterasys:version=1:policy=" Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 225 with timestamp +8 Ready to process requests. ##radtest output: #radtest test hello localhost 0 testing123 Sending Access-Request of id 225 to 127.0.0.1 port 1812 User-Name = "test" User-Password = "hello" NAS-IP-Address = IP Address NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=225, length=49 Filter-Id = "Enterasys:version=1:policy=" Please correct me If I am doing something wrong. Thanks, -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-va... Sent from the FreeRadius - User mailing list archive at Nabble.com.
suggestme wrote:
I tried to return the value of Filter-ID as:
authorize { ... ldap
if (distinguishedName =~ /^[^,]+,OU=([^,]+),/) {
What's "distinguishedName" ? It's not a RADIUS attribute. Read "man unlang", which explains how the attributes && variables work.
In my active directory I have the attribute named "distinguishedName" which I am using inside "if" statement.
Right... so FreeRADIUS magically knows to go query LDAP when you type "distinguishedName"?
If I use "Ldap-UserDN" attribute inside "if" statement (as suggested) it says: "No attribute named Ldap-UserDN".
Because it's a control attribute.
*Why this "if" condition is being evaluated as FALSE?*
Because FreeRADIUS isn't an LDAP server, and doesn't have magic access to the internals of AD.
Please correct me If I am doing something wrong.
You need to query the LDAP server for information. The "rlm_ldap" documentation should describe this. Alan DeKok.
Thank you so much Alan for pointing out the mistake & suggesting the solution. Using: if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/) *solved this issue.* Still trying to become more familiar with attributes and learning. In my understanding there are different attributes list as :request, reply, control, proxy-request, proxy-reply, outer.request, outer.reply, etc. Is there any way to see what attributes request list contains ; or reply list contains, etc. When searching I see the following FreeRadius site lists the attribute lists: http://freeradius.org/rfc/attributes.html But, is there any way to know what attributes is contained by what list. For example: Ldap-UserDN is inside control attribute list. How to figure out this? (It is not in the attributes list mentioned in above site) Is there any way to find it that I am unaware of ? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-return-Filter-ID-attribute-va... Sent from the FreeRadius - User mailing list archive at Nabble.com.
suggestme wrote:
Still trying to become more familiar with attributes and learning. In my understanding there are different attributes list as :request, reply, control, proxy-request, proxy-reply, outer.request, outer.reply, etc.
As I said before, see "man unlang". This is documented in excruciating detail.
Is there any way to see what attributes request list contains ; or reply list contains, etc. When searching I see the following FreeRadius site lists the attribute lists:
Those are attributes which go into RADIUS packets, and which are standardized as part of the RADIUS specifications.
But, is there any way to know what attributes is contained by what list. For example: Ldap-UserDN is inside control attribute list. How to figure out this? (It is not in the attributes list mentioned in above site) Is there any way to find it that I am unaware of ?
The rlm_ldap documentation? Alan DeKok.
participants (4)
-
Alan DeKok -
Phil Mayers -
suggestme -
suggestme IT