Can I get group-name from Active-directory?
FreeRADIUS 1.1.6 + samba-tools + active-directory. Can I get user's group-name by rlm_ldap? How? Following is result of ldap-search.(Using ldap client) # Paul Le, Users, test.com dn: CN=Paul Le,CN=Users,DC=test,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Paul Le sn: Levasseur distinguishedName: CN=Paul Le,CN=Users,DC=test,DC=com instanceType: 4 whenCreated: 20061118204047.0Z whenChanged: 20061120041505.0Z displayName: Paul Levasseur uSNCreated: 53309 memberOf: CN=WirelessUsers,CN=Users,DC=test,DC=com uSNChanged: 61454 name: Paul Levasseur objectGUID:: TWcfmIP0S0KptrqNYMartA== userAccountControl: 512 badPwdCount: 1 codePage: 0 countryCode: 0 badPasswordTime: 128083593151710000 lastLogoff: 0 lastLogon: 0 pwdLastSet: 128084630849843750 primaryGroupID: 513 userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI CAg objectSid:: AQUAAAAAAAUVAAAAFhovX/CrURQfMAbsYQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: paull sAMAccountType: 805306368 msNPAllowDialin: TRUE --------------------------------- 天生购物狂,狂抢购物券,你还等什么!
From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Hangjun He Sent: Monday, 17 December 2007 18:32 To: FreeRadius users mailing list Subject: Can I get group-name from Active-directory? FreeRADIUS 1.1.6 + samba-tools + active-directory. Can I get user's group-name by rlm_ldap? How? Following is result of ldap-search.(Using ldap client) # Paul Le, Users, test.com dn: CN=Paul Le,CN=Users,DC=test,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Paul Le sn: Levasseur distinguishedName: CN=Paul Le,CN=Users,DC=test,DC=com instanceType: 4 whenCreated: 20061118204047.0Z whenChanged: 20061120041505.0Z displayName: Paul Levasseur uSNCreated: 53309 memberOf: CN=WirelessUsers,CN=Users,DC=test,DC=com uSNChanged: 61454 name: Paul Levasseur objectGUID:: TWcfmIP0S0KptrqNYMartA== In radiusd.conf set the ldap group parameters: groupname_attribute = memberOf groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" If you prefer you can use sAMAccountName instead of cn, or even both: groupmembership_filter = "(|(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-Us er-Name:-%{User-Name}}))" Regards, Frank Ranner
I add group parameters in rlm_ldap section. Seems freeradius not do group search. groupname_attribute = memberOf groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" Anything else I need to configure in radiusd.conf? Waking up in 4 seconds... rad_recv: Access-Request packet from host 10.155.20.84:1107, id=76, length=207 User-Name = "hhe" NAS-IP-Address = 10.155.20.84 NAS-Identifier = "AH-000030" NAS-Port = 0 Called-Station-Id = "00-19-77-00-00-34:hhe" Calling-Station-Id = "00-19-E0-80-A5-5A" Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0209002b1900170301002040c3edccfa02df3abe7e25e10b19562d21e7cb9ae131741e2072d61ea88ada83 State = 0xaa50cdb6191621d7112990ba865f4031 Message-Authenticator = 0xb16d6265031bcb1157450cdbef3d80b4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "hhe", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Proxying request from user hhe to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 9 length 43 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 rlm_ldap: - authorize rlm_ldap: performing user authorization for hhe radius_xlat: '(sAMAccountName=hhe)' radius_xlat: 'cn=users,dc=aerohive, dc=com' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=users,dc=aerohive, dc=com, with filter (sAMAccountName=hhe) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user hhe authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 9 modcall: leaving group authenticate (returns ok) for request 9 Sending Access-Accept of id 76 to 10.155.20.84 port 1107 MS-MPPE-Recv-Key = 0x03ee0b3dcbfc176840b2fd59f80ea717e985f078073c8aec6443244ff871091d MS-MPPE-Send-Key = 0x55a504ccb0cb76ee9bda1bd4e5ec48cf4c27fe94c9e086bc990ed0f0f1650f92 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "hhe" Finished request 9 "Ranner, Frank MR" <Frank.Ranner@defence.gov.au> 写道: From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Hangjun He Sent: Monday, 17 December 2007 18:32 To: FreeRadius users mailing list Subject: Can I get group-name from Active-directory? FreeRADIUS 1.1.6 + samba-tools + active-directory. Can I get user's group-name by rlm_ldap? How? Following is result of ldap-search.(Using ldap client) # Paul Le, Users, test.com dn: CN=Paul Le,CN=Users,DC=test,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Paul Le sn: Levasseur distinguishedName: CN=Paul Le,CN=Users,DC=test,DC=com instanceType: 4 whenCreated: 20061118204047.0Z whenChanged: 20061120041505.0Z displayName: Paul Levasseur uSNCreated: 53309 memberOf: CN=WirelessUsers,CN=Users,DC=test,DC=com uSNChanged: 61454 name: Paul Levasseur objectGUID:: TWcfmIP0S0KptrqNYMartA== In radiusd.conf set the ldap group parameters: groupname_attribute = memberOf groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" If you prefer you can use sAMAccountName instead of cn, or even both: groupmembership_filter = "(|(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-Us er-Name:-%{User-Name}}))" Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------- 雅虎邮箱传递新年祝福,个性贺卡送亲朋! --------------------------------- 雅虎邮箱传递新年祝福,个性贺卡送亲朋!
________________________________ From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Hangjun He Sent: Wednesday, 19 December 2007 19:32 To: FreeRadius users mailing list Subject: RE: Can I get group-name from Active-directory? [sec=unclassified] I add group parameters in rlm_ldap section. Seems freeradius not do group search. groupname_attribute = memberOf groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" Anything else I need to configure in radiusd.conf? Yes, you need 'files' enabled in authorize section, then in raddb/users to need to set check rules against your groups # Keep managers out of technical things DEFAULT Ldap-Group == "Managers", Auth-Type := Reject # network operations members have admin access to entire network, see ldap for access details # DEFAULT Ldap-Group == "netops", User-Profile:='cn=netops,ou=profiles,dc=demo,dc=com' # Regular users can access network systems by being in the appropriate ldap group # DEFAULT Ldap-Group == `%{Huntgroup-Name}` Access-Level := RW, Service-Type = Administrative-User, Cisco-AVPair := "shell:priv-lvl=15" Try and keep your rules to a minimum as each Ldap-Group line generates an ldap search. The rule most likely to succeed should be tried earlier. The technique above is efficient because huntgroup/usergroup only needs one test. Otherwise you would need to do: DEFAULT Huntgroup-Name == 'sales', Ldap-Group == 'sales' ... DEFAULT Huntgroup-Name == 'marketing', Ldap-Group == 'marketing' ... Anyway, the answer is the ldap group lookups don't happen until you ask for it, and you ask for it in 'users' by comparing Ldap-Group with something. Regards, Frank Ranner
participants (2)
-
Hangjun He -
Ranner, Frank MR