Hello all. Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time? That would allow to search for group membership without spawning more processes... Tks, Diego.
NdK wrote:
Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time?
No. The LDAP API doesn't support that.
That would allow to search for group membership without spawning more processes...
Huh? You can configure AD as an LDAP server, and do group membership checks. All you need is a read-only administrator account. Alan DeKok.
On 10/02/12 14:38, NdK wrote:
Hello all.
Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time?
This question does not make sense. Joining a domain doesn't "obtain a kerberos ticket". It creates a machine account principal, and a shared secret (password) that can *in future* be used to obtain kerberos tickets.
That would allow to search for group membership without spawning more processes...
Three points: First, you can do that now. Just create a service account in AD for searching LDAP, and set the bind DN. Secondly, checking group membership over LDAP in AD is not as simple as you might think. Nested groups and primary group ID are the two main problems. Thirdly, why do you assume that spawning a process is undesirable? Have you tested it to see which is slower? If you say what you're trying to accomplish rather than how, it might be a bit clearer.
Il 10/02/2012 16:21, Phil Mayers ha scritto:
Is it possible to bind to AD's LDAP using the Kerberos ticket obtained at join time? This question does not make sense. Joining a domain doesn't "obtain a kerberos ticket". It creates a machine account principal, and a shared secret (password) that can *in future* be used to obtain kerberos tickets. Yep. Sorry. Tried to "condense" too much :(
First, you can do that now. Just create a service account in AD for searching LDAP, and set the bind DN. Can't create "users" in AD. Just machine accounts. Maybe it's possible to use the (or "a dedicated") *machine* account credentials?
Secondly, checking group membership over LDAP in AD is not as simple as you might think. Nested groups and primary group ID are the two main problems. I know: about 5-6 years ago I wrote a lot of PHP code that did exactly that. A nightmare. But doable. At least in PHP.
Thirdly, why do you assume that spawning a process is undesirable? Have you tested it to see which is slower? Reading FR docs it seems it's something to avoid whenever possible. Since there's an internal ldap module, I thought it could be possible to use it.
If you say what you're trying to accomplish rather than how, it might be a bit clearer. Trying to avoid a script (1st exec of "bash") that does a "net ads search" (2nd exec), filters output with "sed" (it's been not too hard to write a script that does "grep", too -- 3rd exec).
I need to determine if/what to return in 'access-accept' when an user authenticates to a switch. - students (determined by *domain* membership) receive a VLAN membership - administrators (determined by *domain* and *group* membership) receive *no* VLAN memberships (so they can access all the VLANS configured for that switch port, as said on the wiki for HPs) - "regular" users receive VLAN membership for a different VLAN than students (preventing 'em to tamper with administration VLAN) BYtE, Diego.
NdK wrote:
Can't create "users" in AD. Just machine accounts.
That's a local policy which can be changed. AD is perfectly capable of creating read-only administrator accounts. It's what everyone else does.
Maybe it's possible to use the (or "a dedicated") *machine* account credentials?
No.
Reading FR docs it seems it's something to avoid whenever possible. Since there's an internal ldap module, I thought it could be possible to use it.
Yes.
I need to determine if/what to return in 'access-accept' when an user authenticates to a switch.
See the switch documentation for what to return in an Access-Accept. Every switch vendor has their own idea of what is "normal".
- students (determined by *domain* membership) receive a VLAN membership - administrators (determined by *domain* and *group* membership) receive *no* VLAN memberships (so they can access all the VLANS configured for that switch port, as said on the wiki for HPs) - "regular" users receive VLAN membership for a different VLAN than students (preventing 'em to tamper with administration VLAN)
That should all be straightforward. Write a shell script which implements those rules. Test it. Port the same rules to the internal FreeRADIUS LDAP module && unlang. Alan DeKok.
If you are looking to assign users network permissions may I suggest you look into the open source enterprise NAC called PacketFence, we are using it with great success. No use reinventing the wheel, especially when you can get a really tricked out wheel for free : ) Jake Sallee Godfather of Bandwidth Network Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________________ From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] on behalf of Alan DeKok [aland@deployingradius.com] Sent: Friday, February 10, 2012 3:37 PM To: FreeRadius users mailing list Subject: Re: LDAP Binding NdK wrote:
Can't create "users" in AD. Just machine accounts.
That's a local policy which can be changed. AD is perfectly capable of creating read-only administrator accounts. It's what everyone else does.
Maybe it's possible to use the (or "a dedicated") *machine* account credentials?
No.
Reading FR docs it seems it's something to avoid whenever possible. Since there's an internal ldap module, I thought it could be possible to use it.
Yes.
I need to determine if/what to return in 'access-accept' when an user authenticates to a switch.
See the switch documentation for what to return in an Access-Accept. Every switch vendor has their own idea of what is "normal".
- students (determined by *domain* membership) receive a VLAN membership - administrators (determined by *domain* and *group* membership) receive *no* VLAN memberships (so they can access all the VLANS configured for that switch port, as said on the wiki for HPs) - "regular" users receive VLAN membership for a different VLAN than students (preventing 'em to tamper with administration VLAN)
That should all be straightforward. Write a shell script which implements those rules. Test it. Port the same rules to the internal FreeRADIUS LDAP module && unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/10/2012 09:09 PM, NdK wrote:
Can't create "users" in AD. Just machine accounts. Maybe it's possible to use the (or "a dedicated") *machine* account credentials?
rlm_ldap just needs a bind DN. Any ldap DN with permissions to bind to the directory and execute the searches you need will suffice.
If you say what you're trying to accomplish rather than how, it might be a bit clearer. Trying to avoid a script (1st exec of "bash") that does a "net ads search" (2nd exec), filters output with "sed" (it's been not too hard to write a script that does "grep", too -- 3rd exec).
I need to determine if/what to return in 'access-accept' when an user authenticates to a switch.
You've really got several choices: 1. Use an "exec" module, ideally in post-auth so it's only run once. Whether it's written in shell, perl, C or something else is your choice. 2. Bulk-query the data from LDAP, cache it into a local SQL / text file, query that with rlm_sql / rlm_passwd. For optional extra points, use the incremental LDAP search facility to "tail" changes to LDAP. 3. Query in real-time using rlm_ldap. As said, you can't use kerberos for this, you'll need a bind DN. 4. Something else.
participants (4)
-
Alan DeKok -
NdK -
Phil Mayers -
Sallee, Stephen (Jake)