Authorize users in different trusted Active Directory domains using LDAP group searches

[Roberto.Franceschetti at ocfl.net]

Hi there,

As this is going to be a possibly long post, the brief question is:
Can we use a single freeradius install to provide different type of access to Active Directory users belonging to multiple trusted domains based on their membership in Active Directory groups that located in just one of these domains? This is so that an administrator for one of the domains can provide access to his resources to users belonging in other trusted domains.


The above question is expanded as follows with more details. We are using FreeRADIUS v2.1.10 installed on a Ubuntu server to authenticate and provide access for:

1. OpenLDAP users with rights based on LDAP groups
2. Dual factor authentication using Active Directory accounts in multiple trusted domains and SSL client certificates, with required membership to a specific AD group
3. Authentication and different Access for Active Directory accounts based on AD group memberships



For (1) we are able to grant access in the authenticate {} section as we're using an OpenLDAP directory, not Active Directory:

	authenticate {
		Auth-Type LDAP {
			ldap_linux

			if (ldap_linux-Ldap-Group == "cn=full_client,ou=remote_access,ou=groups,dc=esu_accounts,dc=net") {
				update reply {
					Class := "ou=asa_vpn",
					Reply-Message = "Welcome to ASA VPN"
				}
			}

#			........ a whole bunch of other ifs here.....

		}
	}




For (2), as we only needed to authenticate/authorize users if they belonged to a single, specific "Domain Local" group in one of our Active Directory domains, and this group contains individual users in all the domains we support, we were able to make this happen by using ntlm_auth with the --require-membership option:

	exec ntlm_auth.vpnaccessfullclient {
		wait = yes
	 	program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-OCG} --password=%{User-Password} --require-membership-of=ocg\\VPNAccess"
	}


This allows us to authenticate and authorize users in all the Active Directory domains we have trusts only if that account belongs in the specific Active Directory group "ocg\\VPNAccess"





For (3), this is were I may have hit a wall. I can make this work for a single Active Directory domain by using ntlm_auth to *authenticate* users (without any --require-membership-of restrictions), and to then use post-auth to check group membership and provide access as needed based on Active Directory group membership:


	post-auth {
		ldap_ad
			if (ldap_ad-LDAP-Group == "VPNAccess2") {
					update reply {
						Class := "ou=IPICSPolicy;"
						Reply-Message = "Welcome to Radio VPN Restricted ACL Access"
					}
	
			}


This works fine, but I think it can only check for group membership in the Active Directory domain defined in "ldap_ad" in the ldap module. It cannot verify group membership in other domains. Hopefully I'm wrong... but days of googling didn't turn out a solution.


I cannot find a way to make this requirement work (securely) in an Active Directory environment with multiple trusted domains. Let me explain. There are resources in my domain that I have to grant to users of my domain and to users in other trusted domains. These are *my* resources, so I have Active Directory groups in my domain to which I add users (I cannot have other admins in other domains grant this access).

There are some workarounds I found in the mailing list, but in my opinion they are not secure. For example, I can add additional entries in the ldap module for the other domains, but in order for the LDAP searches to work, the group in which users are being searched in would need to reside in the other domains, which are not under my control. The other admins could add anyone to those groups and this would compromise my resources.


In addition, if I did the above:

	post-auth {
		ldap_ad
			if (ldap_ad-LDAP-Group == "VPNAccess2") {
					update reply {
						Class := "ou=IPICSPolicy;"
						Reply-Message = "Welcome to Radio VPN Restricted ACL Access"
					}
	
			}

		ldap_ad2
			if (ldap_ad2-LDAP-Group == "VPNAccess2") {
					update reply {
						Class := "ou=IPICSPolicy;"
						Reply-Message = "Welcome to Radio VPN Restricted ACL Access"
					}
	
					noop
			}

I could have cases where the same username "smith" can exist in both domains. If the user "smith" in ldap_ad2 above authenticates, and they are not a member of the "VPNAccess2" group, while there happens to be a user "smith" in ldap_ad who is instead a member of "VPNAccess2", then the wrong user would be granted access.



Are there any solutions to my original question at the top, or am I trying to do something that is just not possible due to limitations of Active Directory (not a real LDAP server...) and the way LDAP searches work?

I apologize for the long question, but hopefully it will help others who may be having the same scenario.

Thanks,

Roberto
PLEASE NOTE: Florida has a very broad public records law (F. S. 119).
All e-mails to and from County Officials are kept as a public record.
Your e-mail communications, including your e-mail address may be
disclosed to the public and media at any time.