MSSCHAP auth + LDAP authorizaton
I have working radius - AD authentication via winbind (MSCHAP challnge-response). But I do not want to give all domain users ability to use VPN. I want to use special AD group. I have considered LDAP authorization. I've read this manual http://wiki.freeradius.org/Rlm_ldap and configured correct ldap bind values but now I'm pretty much lost How to tell freeradius, that after successful MSCHAP auth against AD it must browse AD via LDAP and check that te username belongs to specified group? Any suggestions of documentation that will help, would be appriciated. Andres Septer
Hello Andreas,
How to tell freeradius, that after successful MSCHAP auth against AD it must browse AD via LDAP and check that te username belongs to specified group?
I think, you need to write a script that makes sure that the user is part of a specific group. I would do that in perl, because it gets the job done fast. I copied and pasted such a script not so long time ago in csharp: using System.Collections.Generic; using System.DirectoryServices; namespace de.glanzmann.ActiveDirectoryGroupMembership { public class ActiveDirectoryGroupMembership { string ad_connection = "LDAP://ad.gmvl.de/DC=directory,DC=gmvl,DC=de"; string ad_username = "Administrator"; string ad_password = "password"; string RemoveADGroup(string name) { string[] ary = name.Split(new char[] { '\\' }); return ary[ary.Length - 1]; } string[] GetRolesForUser(string userName) { userName = RemoveADGroup(userName); return GetUserRoles(userName); } string[] GetUserRoles(string userName) { DirectoryEntry obEntry = new DirectoryEntry(ad_connection, ad_username, ad_password); DirectorySearcher srch = new DirectorySearcher(obEntry, "(sAMAccountName=" + userName + ")"); SearchResult res = srch.FindOne(); Dictionary<string, string> dictionary = new Dictionary<string, string>(); if (res != null) { DirectoryEntry obUser = new DirectoryEntry(res.Path, ad_username, ad_password); string rootPath = ad_connection; rootPath = rootPath.Substring(0, rootPath.LastIndexOf(@"/") + 1); GetMemberships(obUser, dictionary, rootPath); } string[] ary = new string[dictionary.Count]; dictionary.Values.CopyTo(ary, 0); return ary; } void GetMemberships(DirectoryEntry entry, Dictionary<string, string> dictionary, string rootPath) { List<DirectoryEntry> childrenToCheck = new List<DirectoryEntry>(); PropertyValueCollection children = entry.Properties["memberOf"]; foreach (string childDN in children) { if (! dictionary.ContainsKey(childDN)) { DirectoryEntry obGpEntry = new DirectoryEntry(rootPath + childDN, ad_username, ad_password); string groupName = obGpEntry.Properties["sAMAccountName"].Value.ToString(); dictionary.Add(childDN, groupName); childrenToCheck.Add(obGpEntry); } } foreach (DirectoryEntry child in childrenToCheck) { GetMemberships(child, dictionary, rootPath); } } public bool IsUserInRole(string username, string roleName) { string[] ary = GetRolesForUser(username); foreach (string s in ary) { if (roleName.ToLower() == s.ToLower()) { return true; } } return false; } } } You can copy the logic and put it into perl. Source: http://www.codeproject.com/Articles/36670/Active-Directory-Forms-Authenticat... Cheers, Thomas
On Tue, Apr 03, 2012 at 11:24:04AM +0200, Thomas Glanzmann wrote:
How to tell freeradius, that after successful MSCHAP auth against AD it must browse AD via LDAP and check that te username belongs to specified group?
I think, you need to write a script that makes sure that the user is part of a specific group. I would do that in perl, because it gets the
Why do in perl what you can do in FR directly? That will just slow things down. The LDAP module can be configured for group lookups - look about half way down modules/ldap, you'll find the group settings. Check radiusd -X to see what it's doing, as usual. Use unlang in your inner-tunnel authorize section to check the ldap group, something along the lines of (very untested): if (!(Ldap-group == 'cn=group,dc=example,dc=com')) { reject } Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Il 03/04/2012 11:05, Andres Septer ha scritto:
I have working radius - AD authentication via winbind (MSCHAP challnge-response). But I do not want to give all domain users ability to use VPN. I want to use special AD group. [...] Any suggestions of documentation that will help, would be appriciated. From "man ntlm_auth": --require-membership-of={SID|Name} Require that a user be a member of specified group (either name or SID) for authentication to succeed.
Just change your call to ntlm_auth accordingly. Should be faster if you specify SID (one less 'internal lookup'). HIH, Diego.
participants (4)
-
Andres Septer -
Matthew Newton -
NdK -
Thomas Glanzmann