LDAP scope

Stefan Adams stefan at borgia.com
Sat Jan 7 05:18:32 CET 2006


> Date: Thu, 05 Jan 2006 17:07:30 -0500
> From: Gary Algier <gaa at ulticom.com>
> Subject: Re: LDAP scope
> To: FreeRadius users mailing list
>        <freeradius-users at lists.freeradius.org>
> Message-ID: <43BD98A2.7000401 at ulticom.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Stefan Adams wrote:
> > Hi!
> >
> > Is it possible to specify a basedn of "dc=example,dc=com" with a scope
> > of "sub" so that my search filters can apply to both "ou=People" and
> > "ou=Computers" for example?  It seems from my testing that the scope
> > is "one" by default.
>  From my experience it is a scope of "sub" by default.  My people are

Yup...  It worked as sub for me!  Was I dreaming or stupid, I dunno. 
But I'm glad you told me sub should work cuz then I tried it again.

> in the data store like:
>     dn: uid=gaa,ou=people,dc=ulticom,dc=com
> and my ldap section of radius.conf is:
>             ldap {
>                     server = "ldap.ulticom.com"
>                     basedn = "dc=ulticom,dc=com"
>                     filter = "(&(objectclass=person)(uid=%{Stripped-User-Name:-%{User-Name}}))"
>                     do_xlat = yes
>                     base_filter = "(objectclass=*)"
>                     start_tls = no
>                     access_attr = "uid"
>                     dictionary_mapping = ${raddbdir}/ldap.attrmap
>                     ldap_connections_number = 5
>                     timeout = 4
>                     timelimit = 3
>                     net_timeout = 1
>             }
>
>
> >
> > The reason I would like to do this is to have the check box in Windows
> > XP that says "Authenticate as computer..." checked.  Doing this,
> > FreeRADIUS is first presented with the credentials of the computer
> > (host/name).  Since I already have a computer account in ou=Computers,
> > I figure I'd just add a cn=host/name attribute and modify the filter
> > to be (|(uid=%{User-Name})(cn=%{User-Name})).  But this can only work
> > with a basedn of "dc=example,dc=com" and a scope of sub.
> The thing to watch out for is the actual LDAP lookup may not be
> what you think.  Without special regex matches or other tricks it
> will only lookup your hostname.  For instance with a user of "gaa"
> on host "malachite", the supplied user value is "MALACHITE\GAA".
> This then results in an LDAP lookup of (from radiusd -X):
> -----------------------------------------------------------------------------
> rlm_ldap: performing user authorization for MALACHITE\gaa
> radius_xlat:  '(&(objectclass=person)(uid=MALACHITE))'
> radius_xlat:  'dc=ulticom,dc=com'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in dc=ulticom,dc=com, with filter (&(objectclass=person)(uid=MALACHITE))
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> -----------------------------------------------------------------------------
>
> I tried to handle it with this:
>
> hints file:
>     ...
>     DEFAULT NAS-IP-Address == 172.25.16.9, User-Name =~ "^(.*)\\\\(.*)"
>             Hint = "8021XUSER",
>             Stripped-User-Name = `${2}`
>     ...
> users file:
>     ...
>     DEFAULT Hint == "8021XUSER"
>             Fall-Through = 1
>     ...
>
> This strips the hostname off, mostly.  I see it do several "uid=gaa"
> lookups, then one "uid=MALACHITE" and then it fails.  If you get it
> to work, let me know.  All I want to do is lookup the user.

I haven't tried the hints or users file method, but here's how I do it
and so far everything is working perfectly:

FreeRADIUS 1.1.0-pre0 (snapshot-20051220)
Windows XP SP2, 802.1x, EAP-PEAP, MS-CHAPv2

radiusd.conf:
proxy_requests  = no
$INCLUDE  ${confdir}/proxy.conf
modules {
        unix {
               radwtmp = ${logdir}/radwtmp
        }
        mschap {
               authtype = MS-CHAP
               use_mppe = yes
               require_encryption = yes
               require_strong = yes
               with_ntdomain_hack = yes
       }
       ldap {
               server = "ldap.borgia.com"
               identity = "cn=Manager,dc=borgia,dc=com"
               password = Manager's password
               basedn = "dc=borgia,dc=com"
               filter =
"(|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}}))"
               base_filter = "(objectclass=radiusprofile)"
               tls { ... }
               access_attr = "dialupAccess"
               dictionary_mapping = ${raddbdir}/ldap.attrmap
               ldap_connections_number = 5
               timeout = 4
               timelimit = 3
               net_timeout = 1
               auto_header = no
               access_attr_used_for_allow = yes
      }
      eap {
               default_eap_type = peap
               timer_expire = 60
               ignore_unknown_eap_types = no
               cisco_accounting_username_bug = no
               tls {
                       private_key_password = whatever
                       private_key_file = /etc/1x/server.pem
                       certificate_file = /etc/1x/server.pem
                       CA_file = /etc/1x/root.pem
                       dh_file = /etc/1x/DH
                       random_file = /etc/1x/random
                       include_length = yes
               }
               peap {
                       default_eap_type = mschapv2
                       copy_request_to_tunnel = yes
               }
               mschapv2 {
               }
       }
       realm ntdomain {
               format = prefix
               delimiter = "\\"
       }
       preprocess {
               :
               with_ntdomain_hack = no
               :
       }
}
authorize {
       preprocess
       ntdomain
       eap
       ldap
}
authenticate {
       Auth-Type MS-CHAP {
               mschap
       }
       eap
}

clients.conf:
client 172.16.16.0/24 {
       secret          = whatever
       shortname       = ap
}
client 172.16.254.0/24 {
       secret          = whatever
       shortname       = server
}

proxy.conf:
realm LOCAL {
       type            = radius
       authhost        = LOCAL
       accthost        = LOCAL
}
realm DEFAULT {
       type            = radius
       authhost        = LOCAL
       accthost        = LOCAL
}

[
SSID Authorization (If I want to autz a user via 802.1x to an existing
LDAP based on which connecting-to SSID):
modules {
       ldap {
            filter =
"(&(|(uid=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-User-Name:-%{User-Name}}))(radiusCalledStationId=%{Called-Station-ID}))"
       }
       attr_rewrite getssid {
               attribute = Called-Station-Id
               # may be "packet", "reply", "proxy", "proxy_reply" or "config"
               searchin = packet
               # Strip the MAC Address out of the Called-Station-ID
               # Resulting in just the SSID
               # My AP sends the:mac:add:ress:and:the:SSID
               # All I want is the SSID
               searchfor = ".................:"
               replacewith = ""
               ignore_case = yes
               new_attribute = no
       #       max_matches = 10
       #       ## If set to yes then the replace string will be appended to th
       #       append = no
       }
}
authorize {
       :
       eap
       getssid
       ldap
       :
}

Windows XP:

Apply this Pre-SP3 Hotfix:
http://support.microsoft.com/?kbid=885453

Windows Network Connection Properties:
 Preferred networks, [SSID] Properties:
   Association:
     Network Auth: WPA
     Data Enc: AES
   Authentication:
     EAP Type: PEAP
     [X] Authenticate as computer when computer information is
available (IF PC IS JOINED TO DOMAIN)
     [ ] Authenticate as computer when computer information is
available (IF NOT JOINED)
     Properties:
       EAP-MS-CHAP v2
         Configure:
           [X] Automatically use my Windows logon name and Password (IF
PC IS JOINED TO DOMAIN)
           [ ] Automatically use my Windows logon name and Password
(IF NOT JOINED)
       [X] Enable Fast Reconnect


> If you want to use the hostname, how will you match the password?  What
> credentials are you expecting it to pass?  I was under the assumption
> that when you select "Authenticate as computer..." it expects to
> use certificates (I may be wrong here).

When the PC is joined to a Samba domain, a computer account is created
with uid=hostname$ and sambaNTPassword=xxxxxxxxx

When you authenticate as computer, windows sends host/hostname as the
User-Name and the the password that, when encrypted, matches the
sambaNTPassword.

This has successfully connected me to 802.1x (Wired and WPA wireless)
as computer when joined to the domain.  This allows me to login to the
domain using a domain account never before used on that computer so
that it is not cached.  I'm sure the significance of this can be
realized.

> The format of the password when using the Windows domain style login
> is the Windows "encrypted" format (actually a hash, not encrypted,
> but you still can't recreate the clear text password).  The the default
> configuration, this value is matched against the LDAP attribute
> "sambaNTPassword".  This assumes that you are already using
> Samba for SMB/CIFS access.  (I am).
     |--->  Of course!!!  :)

> >
> > Thanks!
> > Stefan
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> --
> Gary Algier, WB2FWZ          gaa at ulticom.com             +1 856 787 2758
> Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054      Fax:+1 856 866 2033
>
> Nielsen's First Law of Computer Manuals:
>     People don't read documentation voluntarily.
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 9, Issue 23
> ***********************************************
>




More information about the Freeradius-Users mailing list