Radius + LDAP + SecurID
Marc Phillips
rmarc at copacetic.net
Thu Feb 3 03:42:03 CET 2011
So I've been beating my head against a wall on this
for a few days, so I figured I'd share what "worked"
now that the swelling has gone down.
Configuration is fairly straight forward. I have
authorization via LDAP (AD), and Authentication via
SecurID (via PAM..yeah, I know you aren't s'posed to
use PAM 'cause of mem leaks, and the SecurID one certainly
had 'em, but the latest module has been stable in Radius 1.1.7
for me for over 2 years on multiple platforms).
I previously had a simple radius to securid bridge I'm just
now adding in LDAP.
Using FreeRadius 2.1.10 (I patched it for an exec callout
which can be found in the devel group).
Used the "default" site and enabled ldap:
authorize {
preprocess
auth_log
# This is important and (it's ommision) was
# the cause of the lump on my skull
files
ldap
}
authenticate {
pam
}
modules/ldap
ldap {
server = "mydc"
port = 636
identity = "exec:my_callout"
password = "exec:my_callout"
basedn = "dc=some,dc=corp,dc=com"
filter = "(CN=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls_mode= yes
tls {
start_tls = no
cacertfile = /path/to/cafile
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
groupmembership_attribute = "memberOf"
chase_referrals = no
rebind = no
set_auth_type = no
}
users file:
DEFAULT Ldap-Group == "admins", Auth-Type = pam
Reply-Message = "Hello (admin), %{User-Name}",
....(other attributes)
Fall-Through = No
DEFAULT Ldap-Group == "Operators", Auth-Type = pam
Reply-Message = "Hello (operator), %{User-Name}",
....(other attributes)
Fall-Through = No
DEFAULT Auth-Type := Reject
Reply-Message = "you are not authorized"
So what happens is the user sends his request, the user ID is looked
up in AD and then the groups are looked up for that user, in the order
listed in the users file, until a match is found. If a match is found,
it passes to the Auth-Type for authentication otherwise sends back a reject.
Note, this is a basic POC config.
As another note, I found a python module (pyrad, not py-radius) very helpful
in debugging this. radtest is nice, but I don't like entering my pin in he clear
on a shared unix box. Here's a script I used for that (merged the good of the py-radius
example with the pyrad example):
-------------cut --------------------------
#!/usr/bin/python
import socket, sys
import pyrad.packet
from getpass import getpass
from pyrad.client import Client
from pyrad.dictionary import Dictionary
secret = ''
uname,passwd = None,None
while not secret: secret = getpass('RADIUS Secret? ')
while not uname: uname = raw_input("Username? ")
while not passwd: passwd = getpass("Password? ")
srv=Client(server="localhost",
secret=secret,
dict=Dictionary("/path/to/dictionary"))
print "read dictionary"
req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,
User_Name=uname)
req["User-Password"]=req.PwCrypt(passwd)
req["Service-Type"] = "Login-User"
try:
print "Sending authentication request"
reply=srv.SendPacket(req)
except pyrad.client.Timeout:
print "RADIUS server does not reply"
sys.exit(1)
except socket.error, error:
print "Network error: " + error[1]
sys.exit(1)
if reply.code==pyrad.packet.AccessAccept:
print "Access accepted"
else:
print "Access denied"
print "Attributes returned by server:"
for i in reply.keys():
print "%s: %s" % (i, reply[i])
-----------cut ---------------------------
R. Marc
More information about the Freeradius-Users
mailing list