LDAP scope
Stefan Adams
stefan at borgia.com
Sat Jan 7 05:18:32 CET 2006
> Date: Thu, 05 Jan 2006 17:07:30 -0500
> From: Gary Algier <gaa at ulticom.com>
> Subject: Re: LDAP scope
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <43BD98A2.7000401 at ulticom.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Stefan Adams wrote:
> > Hi!
> >
> > Is it possible to specify a basedn of "dc=example,dc=com" with a scope
> > of "sub" so that my search filters can apply to both "ou=People" and
> > "ou=Computers" for example? It seems from my testing that the scope
> > is "one" by default.
> From my experience it is a scope of "sub" by default. My people are
Yup... It worked as sub for me! Was I dreaming or stupid, I dunno.
But I'm glad you told me sub should work cuz then I tried it again.
> in the data store like:
> dn: uid=gaa,ou=people,dc=ulticom,dc=com
> and my ldap section of radius.conf is:
> ldap {
> server = "ldap.ulticom.com"
> basedn = "dc=ulticom,dc=com"
> filter = "(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))"
> do_xlat = yes
> base_filter = "(objectclass=*)"
> start_tls = no
> access_attr = "uid"
> dictionary_mapping = ${raddbdir}/ldap.attrmap
> ldap_connections_number = 5
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
>
>
> >
> > The reason I would like to do this is to have the check box in Windows
> > XP that says "Authenticate as computer..." checked. Doing this,
> > FreeRADIUS is first presented with the credentials of the computer
> > (host/name). Since I already have a computer account in ou=Computers,
> > I figure I'd just add a cn=host/name attribute and modify the filter
> > to be (|(uid=%{User-Name})(cn=%{User-Name})). But this can only work
> > with a basedn of "dc=example,dc=com" and a scope of sub.
> The thing to watch out for is the actual LDAP lookup may not be
> what you think. Without special regex matches or other tricks it
> will only lookup your hostname. For instance with a user of "gaa"
> on host "malachite", the supplied user value is "MALACHITE\GAA".
> This then results in an LDAP lookup of (from radiusd -X):
> -----------------------------------------------------------------------------
> rlm_ldap: performing user authorization for MALACHITE\gaa
> radius_xlat: '(&(objectclass=person)(uid=MALACHITE))'
> radius_xlat: 'dc=ulticom,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> -----------------------------------------------------------------------------
>
> I tried to handle it with this:
>
> hints file:
> ...
> DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)\\\\(.*)"
> Hint = "8021XUSER",
> Stripped-User-Name = `${2}`
> ...
> users file:
> ...
> DEFAULT Hint == "8021XUSER"
> Fall-Through = 1
> ...
>
> This strips the hostname off, mostly. I see it do several "uid=gaa"
> lookups, then one "uid=MALACHITE" and then it fails. If you get it
> to work, let me know. All I want to do is lookup the user.
I haven't tried the hints or users file method, but here's how I do it
and so far everything is working perfectly:
FreeRADIUS 1.1.0-pre0 (snapshot-20051220)
Windows XP SP2, 802.1x, EAP-PEAP, MS-CHAPv2
radiusd.conf:
proxy_requests = no
$INCLUDE ${confdir}/proxy.conf
modules {
unix {
radwtmp = ${logdir}/radwtmp
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
ldap {
server = "ldap.borgia.com"
identity = "cn=Manager,dc=borgia,dc=com"
password = Manager's password
basedn = "dc=borgia,dc=com"
filter =
"(|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}}))"
base_filter = "(objectclass=radiusprofile)"
tls { ... }
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
auto_header = no
access_attr_used_for_allow = yes
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = whatever
private_key_file = /etc/1x/server.pem
certificate_file = /etc/1x/server.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
}
mschapv2 {
}
}
realm ntdomain {
format = prefix
delimiter = "\\"
}
preprocess {
:
with_ntdomain_hack = no
:
}
}
authorize {
preprocess
ntdomain
eap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
clients.conf:
client 172.16.16.0/24 {
secret = whatever
shortname = ap
}
client 172.16.254.0/24 {
secret = whatever
shortname = server
}
proxy.conf:
realm LOCAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
type = radius
authhost = LOCAL
accthost = LOCAL
}
[
SSID Authorization (If I want to autz a user via 802.1x to an existing
LDAP based on which connecting-to SSID):
modules {
ldap {
filter =
"(&(|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}}))(radiusCalledStationId=%{Called-Station-ID}))"
}
attr_rewrite getssid {
attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
searchin = packet
# Strip the MAC Address out of the Called-Station-ID
# Resulting in just the SSID
# My AP sends the:mac:add:ress:and:the:SSID
# All I want is the SSID
searchfor = ".................:"
replacewith = ""
ignore_case = yes
new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to th
# append = no
}
}
authorize {
:
eap
getssid
ldap
:
}
Windows XP:
Apply this Pre-SP3 Hotfix:
http://support.microsoft.com/?kbid=885453
Windows Network Connection Properties:
Preferred networks, [SSID] Properties:
Association:
Network Auth: WPA
Data Enc: AES
Authentication:
EAP Type: PEAP
[X] Authenticate as computer when computer information is
available (IF PC IS JOINED TO DOMAIN)
[ ] Authenticate as computer when computer information is
available (IF NOT JOINED)
Properties:
EAP-MS-CHAP v2
Configure:
[X] Automatically use my Windows logon name and Password (IF
PC IS JOINED TO DOMAIN)
[ ] Automatically use my Windows logon name and Password
(IF NOT JOINED)
[X] Enable Fast Reconnect
> If you want to use the hostname, how will you match the password? What
> credentials are you expecting it to pass? I was under the assumption
> that when you select "Authenticate as computer..." it expects to
> use certificates (I may be wrong here).
When the PC is joined to a Samba domain, a computer account is created
with uid=hostname$ and sambaNTPassword=xxxxxxxxx
When you authenticate as computer, windows sends host/hostname as the
User-Name and the the password that, when encrypted, matches the
sambaNTPassword.
This has successfully connected me to 802.1x (Wired and WPA wireless)
as computer when joined to the domain. This allows me to login to the
domain using a domain account never before used on that computer so
that it is not cached. I'm sure the significance of this can be
realized.
> The format of the password when using the Windows domain style login
> is the Windows "encrypted" format (actually a hash, not encrypted,
> but you still can't recreate the clear text password). The the default
> configuration, this value is matched against the LDAP attribute
> "sambaNTPassword". This assumes that you are already using
> Samba for SMB/CIFS access. (I am).
|---> Of course!!! :)
> >
> > Thanks!
> > Stefan
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> --
> Gary Algier, WB2FWZ gaa at ulticom.com +1 856 787 2758
> Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
>
> Nielsen's First Law of Computer Manuals:
> People don't read documentation voluntarily.
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 9, Issue 23
> ***********************************************
>
More information about the Freeradius-Users
mailing list