group membership on LDAP/AD servers
Hello, I'm configuring a server that is connected to a 389ds (ldap) server and to an AD server for authentication and authorization (on AD, authentication is performed through ntlm_auth and authorization, i.e.group membership checking, through ldap protocol) Authentication is made forcing Auth-Type according to User-Name in the authorize section through a regex if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) { update control { Auth-Type := ntlm_auth } } else{ update control { Auth-Type := ldap } } and it works, as i can authenticate user scailotto on 389ds and stefano.cailotto on AD with ntlm_auth. Authorization too works flawlessly if In the authorize section I use only one kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for stefano.cailotto) The main problem arises when radius tries to match group membership for the user, as it always points to AD server. I tried to play with group statements to force using both servers, but with no success. If I understand well debug info, the query is performed starting from the "files" module: the users files contains statements like DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac" Juniper-Local-User-Name="level15", Unisphere-Alternate-Cli-Access-Level="15" and so a match between user and groups must be made. My default file is as follows: authorize { preprocess auth_log if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) { update control { Auth-Type := ntlm_auth } } else{ update control { Auth-Type := ldap } } group { ldap1{ fail=1 notfound=1 } ad_corporate_1{ fail=1 notfound=1 } } files pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix Auth-Type ldap { redundant { ldap1 ldap2 } } Auth-Type ntlm_auth { ntlm_auth } eap } . . . So, my question is: is there a way to force querying a specific server, according to Auth-Type or User-Name?i.e. User-Name = scailotto -> Auth-Type = ldap -> search group membership on ldap1 User-Name = stefano.cailotto -> Auth-Type = ntlm_auth -> search group membership on ad_corporate_1 (using ldap protocol) I suppose it should somehow be forced in the users files, but can't figure out how... TIA, Stefano -- Stefano Cailotto --------------------------------------------------------------------------- EDALab s.r.l. - Networked Embedded Systems Sede operativa: Via ca Nova Zampieri, 12, 37057 San Giovanni Lupatoto (VR) - Italy Sede legale: Cà Vignal 2, Strada Le Grazie, 15, 37134 Verona - Italy C.F./P.IVA/Iscr. Reg. Imprese di Verona n. 03706250234 Numero REA: VR - 358813 Capitale sociale: 10.000 euro --------------------------------------------------------------------------- email: stefano.cailotto@edalab.it web: http://www.edalab.it | https://www.box-io.com skype: stefano.cailotto tel: +39-045-257-0357 mobile: +39-391-731-0244 ---------------------------------------------------------------------------
On Jul 25, 2019, at 5:29 AM, Stefano Cailotto [EDALab] <stefano.cailotto@edalab.it> wrote:
I'm configuring a server that is connected to a 389ds (ldap) server and to an AD server for authentication and authorization (on AD, authentication is performed through ntlm_auth and authorization, i.e.group membership checking, through ldap protocol) ... Authorization too works flawlessly if In the authorize section I use only one kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for stefano.cailotto)
So you've set up two instances of the "ldap" module?
The main problem arises when radius tries to match group membership for the user, as it always points to AD server.
If you have two instances of the LDAP module, you can do group checking on a per-module basis. i.e. if you have: ldap ldap1 { ... } ldap ad_corporate_1 { ... } Then you can do group checking with: ldap1-LDAP-Group == ... and ad_corporate_1-LDAP-Group == ...
I tried to play with group statements to force using both servers, but with no success.
If I understand well debug info, the query is performed starting from the "files" module: the users files contains statements like
DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac"
LDAP-Goup will just use the "ldap { ... } " module configuration. Alan DeKok.
So far so good... I succeeded in what I needed. I implemented the solution also with redundancy (389ds_{1,2} and ad_corporate_{1,2} are 2+2 servers), configuring as follows: authorize { if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) { update control { Auth-Type := ntlm_auth } } else{ update control { Auth-Type := 389DS } } #389DS group { redundant { 389ds_1 389ds_2 } } #AD_CORPORATE { # redundant AD_CORPORATE { group { redundant { ad_corporate_1 ad_corporate_2 } } } authenticate { Auth-Type 389DS { redundant-load-balance { 389ds_1 389ds_2 } } Auth-Type ntlm_auth { ntlm_auth } } I noticed that when defining the <server>-Ldap_Group as you suggested, the <server> prefix must match the name defined for a single server, otherwise it fails: is there a way to refer to the group of servers (something like group 389DS in authorize and the corresponding 389DS-Ldap-Group in users)? Moreover, as my system performs a configuration check (-C) before restarting, i get the following error: /etc/freeradius/users.sql[1]: Parse error (check) for entry DEFAULT: Unknown attribute "389ds_1-Ldap-Group" requires a hex string, not "accesso" Freeradius starts and works correctly, is there a way to avoid that error? Thanks again for your previous help. S. On 7/25/19 2:13 PM, Alan DeKok wrote:
On Jul 25, 2019, at 5:29 AM, Stefano Cailotto [EDALab] <stefano.cailotto@edalab.it> wrote:
I'm configuring a server that is connected to a 389ds (ldap) server and to an AD server for authentication and authorization (on AD, authentication is performed through ntlm_auth and authorization, i.e.group membership checking, through ldap protocol) ... Authorization too works flawlessly if In the authorize section I use only one kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for stefano.cailotto) So you've set up two instances of the "ldap" module?
The main problem arises when radius tries to match group membership for the user, as it always points to AD server. If you have two instances of the LDAP module, you can do group checking on a per-module basis.
i.e. if you have:
ldap ldap1 { ... }
ldap ad_corporate_1 { ... }
Then you can do group checking with:
ldap1-LDAP-Group == ...
and
ad_corporate_1-LDAP-Group == ...
I tried to play with group statements to force using both servers, but with no success.
If I understand well debug info, the query is performed starting from the "files" module: the users files contains statements like
DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac" LDAP-Goup will just use the "ldap { ... } " module configuration.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefano Cailotto --------------------------------------------------------------------------- EDALab s.r.l. - Networked Embedded Systems Sede operativa: Via ca Nova Zampieri, 12, 37057 San Giovanni Lupatoto (VR) - Italy Sede legale: Cà Vignal 2, Strada Le Grazie, 15, 37134 Verona - Italy C.F./P.IVA/Iscr. Reg. Imprese di Verona n. 03706250234 Numero REA: VR - 358813 Capitale sociale: 10.000 euro --------------------------------------------------------------------------- email: stefano.cailotto@edalab.it web: http://www.edalab.it | https://www.box-io.com skype: stefano.cailotto tel: +39-045-257-0357 mobile: +39-391-731-0244 ---------------------------------------------------------------------------
On Jul 26, 2019, at 7:50 AM, Stefano Cailotto [EDALab] <stefano.cailotto@edalab.it> wrote:
So far so good... I succeeded in what I needed.
I implemented the solution also with redundancy (389ds_{1,2} and ad_corporate_{1,2} are 2+2 servers), configuring as follows:
authorize {
if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) { update control { Auth-Type := ntlm_auth } } else{ update control { Auth-Type := 389DS } } #389DS group { redundant { 389ds_1 389ds_2 } }
#AD_CORPORATE { # redundant AD_CORPORATE { group { redundant { ad_corporate_1 ad_corporate_2 } }
I don't think that's right. You're *always* checking *both* LDAP servers. You should instead check 389DS only for the 389DS users. e.g. if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) { update control { Auth-Type := ntlm_auth } #AD_CORPORATE { # redundant AD_CORPORATE { group { redundant { ad_corporate_1 ad_corporate_2 } } } else{ update control { Auth-Type := 389DS } #389DS group { redundant { 389ds_1 389ds_2 } } } }
I noticed that when defining the <server>-Ldap_Group as you suggested, the <server> prefix must match the name defined for a single server, otherwise it fails:
Yes.
is there a way to refer to the group of servers (something like group 389DS in authorize and the corresponding 389DS-Ldap-Group in users)?
Unfortunately, no.
Moreover, as my system performs a configuration check (-C) before restarting, i get the following error:
/etc/freeradius/users.sql[1]: Parse error (check) for entry DEFAULT: Unknown attribute "389ds_1-Ldap-Group" requires a hex string, not "accesso"
Freeradius starts and works correctly, is there a way to avoid that error?
Probably just upgrade. You're likely running an old version of the server. Alan DeKok.
I noticed that when defining the <server>-Ldap_Group as you suggested, the <server> prefix must match the name defined for a single server, otherwise it fails:
Yes.
is there a way to refer to the group of servers (something like group 389DS in authorize and the corresponding 389DS-Ldap-Group in users)?
Unfortunately, no.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail... Set the same cache attribute for each module, and enable cacheable_name or cacheable_dn. Whichever module is called in the redundant section will populate the group list, which you can then check in unlang. -Arran
Thanks, unfortunately I'm using 2.2.8 (and my customer doesn't want to upgrade at the moment (as for Alan's previous reply). On 7/26/19 5:14 PM, Arran Cudbard-Bell wrote:
I noticed that when defining the <server>-Ldap_Group as you suggested, the <server> prefix must match the name defined for a single server, otherwise it fails: Yes.
is there a way to refer to the group of servers (something like group 389DS in authorize and the corresponding 389DS-Ldap-Group in users)? Unfortunately, no. https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-avail...
Set the same cache attribute for each module, and enable cacheable_name or cacheable_dn.
Whichever module is called in the redundant section will populate the group list, which you can then check in unlang.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Stefano Cailotto --------------------------------------------------------------------------- EDALab s.r.l. - Networked Embedded Systems Sede operativa: Via ca Nova Zampieri, 12, 37057 San Giovanni Lupatoto (VR) - Italy Sede legale: Cà Vignal 2, Strada Le Grazie, 15, 37134 Verona - Italy C.F./P.IVA/Iscr. Reg. Imprese di Verona n. 03706250234 Numero REA: VR - 358813 Capitale sociale: 10.000 euro --------------------------------------------------------------------------- email: stefano.cailotto@edalab.it web: http://www.edalab.it | https://www.box-io.com skype: stefano.cailotto tel: +39-045-257-0357 mobile: +39-391-731-0244 ---------------------------------------------------------------------------
On Jul 26, 2019, at 11:49 AM, Stefano Cailotto [EDALab] <stefano.cailotto@edalab.it> wrote:
unfortunately I'm using 2.2.8 (and my customer doesn't want to upgrade at the moment (as for Alan's previous reply).
Well, it can't be fixed, then. There's just no reason to run a version of the server that's EOL, and is 4 years out of date. Alan DeKok.
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
Stefano Cailotto [EDALab]