LDAP(Active Directory) password AND groups not working together
I'm pretty sure the problem lies in my interpretation of the users file documentation, but I'm now stuck. The aim is to authenticate users to their MS active directory account via LDAP, and then check that the user is a member of the WirelessVPN group -- if these two conditions meet then the user is granted access. What's happening at the moment is as long as the user EXISTS the authentication will pass, even if the password is incorrect. If the useraccount does not exist it will fail. Output from debug during a CORRECT username but INCORRECT password (blablalba): rad_recv: Access-Request packet from host 10.200.148.49:3678, id=81, length=50 User-Name = "radiustest" User-Password = "blablabla" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 rlm_ldap: - authorize rlm_ldap: performing user authorization for radiustest radius_xlat: '(&(sAMAccountname=radiustest)(objectClass=person))' radius_xlat: 'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter (&(sAMAccountname=radiustest)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user radiustest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "radiustest", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar' radius_xlat: '(&(objectClass=group)(member=CN=Test\\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter (&(cn=RadiusWirelessVPN)(&(objectClass=group)(member=CN=Test\\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar))) rlm_ldap::ldap_groupcmp: User found in group RadiusWirelessVPN rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 216 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns ok for request 4 rad_check_password: Found Auth-Type Accept rad_check_password: Auth-Type = Accept, accepting the user radius_xlat: 'You are now connected FooBar Network.' Sending Access-Accept of id 81 to 10.200.148.49:3678 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Reply-Message = "You are now connected to the FooBar Network" Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 81 with timestamp 449f618f Nothing to do. Sleeping until we see a request. Configuration: radiusd.conf --- ## LDAP lookup to Microsoft Active Directory (2003) ldap { server = "Foobar.com" identity = "ServiceAccount@Foobar" password = "xxxx" basedn = "OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar" filter = "(&(sAMAccountname=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))" timeout = 40 timelimit = 30 net_timeout = 10 # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))" groupmembership_attribute = "memberOf" } users --- DEFAULT Auth-Type := LDAP, Ldap-Group == "RadiusWirelessVPN", Auth-Type := Accept Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, Reply-Message = "You are now connected to FooBar", DEFAULT Auth-Type := Reject Reply-Message = "Access Rejected - Please check your username and password and try again."
On 6/26/06, duckeo <duckeo@gmail.com> wrote:
The aim is to authenticate users to their MS active directory account via LDAP, and then check that the user is a member of the WirelessVPN group -- if these two conditions meet then the user is granted access.
What's happening at the moment is as long as the user EXISTS the authentication will pass, even if the password is incorrect. If the useraccount does not exist it will fail.
Found the problem, looks like I'm not supposed to have Auth-Type := Accept at the end of the lines? I now have: # successful, user has LDAP password and Group access DEFAULT Auth-Type := LDAP, Ldap-Group == "RadiusWirelessVPN" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255 # User does not have the correct password DEFAULT Auth-Type != LDAP, Auth-Type := Reject Reply-Message = "Access Rejected - Please check your username and password and try again." # User is not a member of the correct group DEFAULT Ldap-Group == "RadiusWirelessVPN", Auth-Type := Reject Reply-Message = "Access Rejected - You do not have permission to log onto this service." #default reject DEFAULT Auth-Type := Reject Reply-Message = "Access Rejected - Please check your username and password and try again." Is this the correct way to be handling errors? Functionally it works but it is not sending back the correct messages (i.e. hitting the correct rule) upon failing
On 6/26/06, duckeo <duckeo@gmail.com> wrote:
Some random garbage
Okay solved a few issues but found a few more - realised I had a typo in the above post and corrected that. The thing issue remaining is still the handling of failures. The debug output seems to indicate a Auth-Type reject is present, but not matching it to the user file. I've tried simplfying things a bit: Users file: DEFAULT Auth-Type := LDAP, Ldap-Group == "RadiusWirelessVPN" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, DEFAULT Auth-Type := Reject Reply-Message = "Access Rejected - Please check your username and password and try again." Debug output upon VALID user with incorrect password: rad_recv: Access-Request packet from host 10.200.148.49:4885, id=206, length=50 User-Name = "radiustest" User-Password = "radiustest1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for radiustest radius_xlat: '(&(sAMAccountname=radiustest)(objectClass=person))' radius_xlat: 'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter (&(sAMAccountname=radiustest)(objectClass=person)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user radiustest authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar' radius_xlat: '(&(objectClass=group)(member=CN=Test\\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar, with filter (&(cn=RadiusWirelessVPN)(&(objectClass=group)(member=CN=Test\\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar))) rlm_ldap::ldap_groupcmp: User found in group RadiusWirelessVPN rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 219 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns ok for request 2 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 2 rlm_ldap: - authenticate rlm_ldap: login attempt by "radiustest" with password "radiustest1" rlm_ldap: user DN: CN=Test\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar rlm_ldap: (re)connect to foo.bar.foo.bar:389, authentication 1 rlm_ldap: bind as CN=Test\, Radius,OU=testing,OU=Domain Users,DC=foo,DC=bar,DC=foo,DC=bar/radiustest1 to foo.bar.foo.bar:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind failed with invalid credentials rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece modcall[authenticate]: module "ldap" returns reject for request 2 modcall: group Auth-Type returns reject for request 2 auth: Failed to validate the user. Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 206 to 10.200.148.49:4885 Reply-Message = "80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 206 with timestamp 449f945f Nothing to do. Sleeping until we see a request. The thing that puzzles me is: rlm_ldap: ldap_release_conn: Release Id: 0 users: Matched entry DEFAULT at line 219 It matches a DEFAULT line in users, but doesn't send the reply? It continues to try to authenticate the user, and on the second time fails to bind (due to incorrect credentials) and doesn't match the line in Users: rlm_ldap: Bind failed with invalid credentials rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece modcall[authenticate]: module "ldap" returns reject for request 2 modcall: group Auth-Type returns reject for request 2 auth: Failed to validate the user. And instead sends back via radius (in an Access-Reject packet): Reply-Message=80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece Any ideas on this one?
duckeo wrote:
It matches a DEFAULT line in users, but doesn't send the reply? It
You're misunderstanding how FreeRadius works when processing the request I think. Broadly, it does this (the behaviour can be changed - see doc/configureable_failover for details): 1a. For each entry in "authorize": execute module if reject: send reject and stop else go to next module 1b. If Autz-Type has been set, repeat 1a for the matching Autz-Type subsection of authorize 2. Execute exactly one section from "authenticate" to actually process the request I'm not entirely certain, but I think you're expecting that your: DEFAULT Auth-Type := Reject Reply-Message = "some text" ...will be used if/when the request is rejected, which is not so. The entries in the users file are processed in order until one matches. If that entry matched, it would immediately reject the request. There is not AFAIK an easy way to set the Reply-Message in a reject generated by the ldap module. It can almost certainly be done - see doc/configureable_failover - but why bother. Also, you're setting Auth-Type. With the exception of setting it to Reject and some specialised cases, you do not usually want to do that. See copious comments about such in the list archives. In your case, your users file need only read: DEFAULT Ldap-Group == "RadiusWirelessVPN" Service-Type = Framed, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, DEFAULT Auth-Type := Reject Reply-Message = "You are not in the VPN group"
continues to try to authenticate the user, and on the second time fails to bind (due to incorrect credentials) and doesn't match the line in Users:
Yes, because FreeRadius is long done with matching the users file by that point.
rlm_ldap: Bind failed with invalid credentials rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece modcall[authenticate]: module "ldap" returns reject for request 2 modcall: group Auth-Type returns reject for request 2 auth: Failed to validate the user.
And instead sends back via radius (in an Access-Reject packet): Reply-Message=80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
I agree returning this isn't terribly helpful (then again, it isn't a terribly helpful error message from AD, but I've come to expect that). If you really must change the text of this reply message, you could try executing an attr_rewrite module in the post-auth section, REJECT sub-section, like so (untested): modules { attr_rewrite aderrmsg { attribute = Reply-Message searchin = reply searchfor = "^.*$" replacewith = "password incorrect" } } authorize { ..blah.. } authenticate { ..blah.. } post-auth { Post-Auth-Type REJECT { aderrmsg } }
participants (2)
-
duckeo -
Phil Mayers