LDAP Authentication bind as user issue
This is exactly what I want, from the docs: "If the administrator wishes to use rlm_ldap only for authentication or does not wish to populate the identity,password configuration attributes he can set this attribute by other means and avoid the ldap search completely. For instance it can be set through the hints file in the authorize section: DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`" I followed this and cannot make it work. Configs/Tests/Results to follow… The LDAP module stays the same for these tests. I want to use LDAPs over port 636. I want to authenticate the user only, preferably binding as the user. ldap ldap.netid { server = "netid-dev.<redacted>.ca" port = 636 basedn = "dc=netid,dc=<redacted>,dc=ca" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" password_attribute = "userPassword" } ----------------------------------------- What we want to see:
Sending proxied request internally to virtual server. server net_id { # Executing section authorize from file /etc/raddb/sites-enabled/net_id +- entering group authorize {...} [files] users: Matched entry DEFAULT at line 3 ++[files] returns ok Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/net_id +- entering group LDAP {...} [ldap.netid] login attempt by "<redacted>" with password "TEST" [ldap.netid] user DN: uid=<redacted>,ou=people,dc=netid,dc=<redacted>,dc=ca [ldap.netid] (re)connect to netid-dev.<redacted>.ca:636, authentication 1 [ldap.netid] setting TLS mode to 1 [ldap.netid] bind as uid=<redacted>,ou=people,dc=netid,dc=<redacted>,dc=ca/TEST to netid-dev.<redacted>.ca:636 [ldap.netid] waiting for bind result ... [ldap.netid] Bind was successful [ldap.netid] user <redacted> authenticated successfully ++[ldap.netid] returns ok Login OK: [<redacted>] (from client localhost port 10 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. } # server net_id Going to the next request <<< Received proxied response code 2 from internal virtual server. # Executing section post-proxy from file /etc/raddb/sites-enabled/default +- entering group post-proxy {...} ++[post_proxy_log] returns noop [eap] No pre-existing handler found ++[eap] returns noop Found Auth-Type = LDAP Found Auth-Type = Accept Warning: Found 2 auth-types on request for user '<redacted>' Auth-Type = Accept, accepting the user Login OK: [<redacted>@netid.<redacted>.ca] (from client localhost port 10)
BUT this is bad because as you can see in line 5, I've cheated to populate the DN. In the users file, I have: DEFAULT Auth-Type := LDAP, Ldap-UserDN := `uid=realusername,ou=people,dc=netid,dc=<redacted>,dc=ca` Obviously this is no good because we need to authenticate hundreds of people. I tried setting the uid in the line above with the User-Name variable and that didn't fly; it doesn't get expanded. The server for this test: server net_id { authorize { files } authenticate { files Auth-Type LDAP { ldap.netid } } } ----------------------------------------- This is what happens when I try using the hints file as suggested in the docs: users - DEFAULT Auth-Type := LDAP hints - DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=netid,dc=<redacted>,dc=ca` server net_id { authorize { # I left files here to set the Auth-Type, I also tried removing files and adding the default auth-type to hints, which didn't work either. files preprocess } authenticate { Auth-Type LDAP { ldap.netid } } } Results: # Executing section authorize from file /etc/raddb/sites-enabled/net_id +- entering group authorize {...} [files] users: Matched entry DEFAULT at line 3 ++[files] returns ok [preprocess] hints: Matched DEFAULT at 36 ++[preprocess] returns ok Found Auth-Type = LDAP # Executing group from file /etc/raddb/sites-enabled/net_id +- entering group LDAP {...} [ldap.netid] login attempt by "<redacted>" with password "TEST" [ldap.netid] expand: %{Stripped-User-Name} -> <redacted> [ldap.netid] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=<redacted>) [ldap.netid] expand: dc=netid,dc=<redacted>,dc=ca -> dc=netid,dc=<redacted>,dc=ca [ldap.netid] ldap_get_conn: Checking Id: 0 [ldap.netid] ldap_get_conn: Got Id: 0 [ldap.netid] attempting LDAP reconnection [ldap.netid] (re)connect to netid-dev.<redacted>.ca:636, authentication 0 [ldap.netid] setting TLS mode to 1 [ldap.netid] bind as / to netid-dev.<redacted>.ca:636 [ldap.netid] waiting for bind result ... [ldap.netid] Bind was successful [ldap.netid] performing search in dc=netid,dc=<redacted>,dc=ca, with filter (uid=<redacted>) [ldap.netid] ldap_search() failed: Insufficient access. Check the identity and password configuration directives. [ldap.netid] ldap_release_conn: Release Id: 0 ++[ldap.netid] returns fail Failed to authenticate the user. Login incorrect: [<redacted>] (from client localhost port 10 via TLS tunnel) This way it binds anonymously, and then fails to do an ldapsearch because of insufficient privs. Giving * read to all seems silly, and I would rather not go that route. If anyone has suggestions or comments they would be greatly appreciated. Dave -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Authentication-bind-as-user-iss... Sent from the FreeRadius - User mailing list archive at Nabble.com.
This way it binds anonymously, and then fails to do an ldapsearch because of insufficient privs. Giving * read to all seems silly, and I would rather not go that route.
If anyone has suggestions or comments they would be greatly appreciated.
How I did it (assuming your using AD as the backend) .. is just create a user account to bind with to do the search (to locate the DN). It does not need to be an admin user, unless you have torqued down the permissions inside AD. This allows bind as the defined user (to search for the DN of the striped-user-name) and then rebind as that DN. ldap { server = "mydc.foocorp.com" identity = "CN=LDAP Account,OU=whatever,OU=Domain Users,DC=foocorp,DC=com" password = imnotgoingtotellyou basedn = "dc=foocorp,dc=com" filter = "(&(objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" .. } Cheers, Michael Holstein Cleveland State University
-----Original Message----- From: freeradius-users-bounces+scott=renshawauto.net@lists.freeradius.org [mailto:freeradius-users-bounces+scott=renshawauto.net@lists.freeradius.org] On Behalf Of Michael Holstein Sent: Friday, September 09, 2011 10:30 AM To: FreeRadius users mailing list Subject: Re: LDAP Authentication bind as user issue
This way it binds anonymously, and then fails to do an ldapsearch because of insufficient privs. Giving * read to all seems silly, and I would rather not go that route.
If anyone has suggestions or comments they would be greatly appreciated.
How I did it (assuming your using AD as the backend) .. is just create a user account to bind with to do the search (to locate the DN). It does not need to be an admin user, unless you have torqued down the permissions inside AD. This allows bind as the defined user (to search for the DN of the striped-user-name) and then rebind as that DN. ldap { server = "mydc.foocorp.com" identity = "CN=LDAP Account,OU=whatever,OU=Domain Users,DC=foocorp,DC=com" password = imnotgoingtotellyou basedn = "dc=foocorp,dc=com" filter = "(&(objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Na me}}))" .. } Cheers, Michael Holstein Cleveland State University - Michael, Would this work if my AD users were in different OU's? I have my users broken out into respective location and department OU's. Such as user FOO is in both an OU of KY-Sales AND an OU of KY. They are not under the normal 'users' area. Thanks, Scott
Thank you for the response, but I'd rather not do it that way. The documentation suggests that what I want is possible, and it would be ideal for this situation. Any more ideas? Many thanks, Dave -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Authentication-bind-as-user-iss... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I've tried a few more things and still no luck... Please help! Best, Dave -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Authentication-bind-as-user-iss... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 12 Sep 2011, at 02:26, DaveA wrote:
I've tried a few more things and still no luck...
Yes you need run the ldap module's authenticate method. There's a configuration option in LDAP which allows it to set Auth-Type LDAP, that needs to be set to yes. Then you need to create an Auth-Type LDAP { } stanza in the authentication section (if it doesn't already exist) and list the LDAP module. This can only work with PAP and tunnelled PAP (EAP-TTLS-PAP). -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time.
Ive already set Auth-Type := LDAP by putting it in the users file. As for the rest, I have what you suggest... authenticate { Auth-Type LDAP { ldap.netid } Dave -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Authentication-bind-as-user-iss... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (4)
-
Arran Cudbard-Bell -
DaveA -
Michael Holstein -
Scott Hughes