Authorize users in different trusted Active Directory domains using LDAP group searches
Roberto.Franceschetti at ocfl.net
Roberto.Franceschetti at ocfl.net
Mon Jul 28 20:47:06 CEST 2014
Hi there,
As this is going to be a possibly long post, the brief question is:
Can we use a single freeradius install to provide different type of access to Active Directory users belonging to multiple trusted domains based on their membership in Active Directory groups that located in just one of these domains? This is so that an administrator for one of the domains can provide access to his resources to users belonging in other trusted domains.
The above question is expanded as follows with more details. We are using FreeRADIUS v2.1.10 installed on a Ubuntu server to authenticate and provide access for:
1. OpenLDAP users with rights based on LDAP groups
2. Dual factor authentication using Active Directory accounts in multiple trusted domains and SSL client certificates, with required membership to a specific AD group
3. Authentication and different Access for Active Directory accounts based on AD group memberships
For (1) we are able to grant access in the authenticate {} section as we're using an OpenLDAP directory, not Active Directory:
authenticate {
Auth-Type LDAP {
ldap_linux
if (ldap_linux-Ldap-Group == "cn=full_client,ou=remote_access,ou=groups,dc=esu_accounts,dc=net") {
update reply {
Class := "ou=asa_vpn",
Reply-Message = "Welcome to ASA VPN"
}
}
# ........ a whole bunch of other ifs here.....
}
}
For (2), as we only needed to authenticate/authorize users if they belonged to a single, specific "Domain Local" group in one of our Active Directory domains, and this group contains individual users in all the domains we support, we were able to make this happen by using ntlm_auth with the --require-membership option:
exec ntlm_auth.vpnaccessfullclient {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name:-None} --domain=%{mschap:NT-Domain:-OCG} --password=%{User-Password} --require-membership-of=ocg\\VPNAccess"
}
This allows us to authenticate and authorize users in all the Active Directory domains we have trusts only if that account belongs in the specific Active Directory group "ocg\\VPNAccess"
For (3), this is were I may have hit a wall. I can make this work for a single Active Directory domain by using ntlm_auth to *authenticate* users (without any --require-membership-of restrictions), and to then use post-auth to check group membership and provide access as needed based on Active Directory group membership:
post-auth {
ldap_ad
if (ldap_ad-LDAP-Group == "VPNAccess2") {
update reply {
Class := "ou=IPICSPolicy;"
Reply-Message = "Welcome to Radio VPN Restricted ACL Access"
}
}
This works fine, but I think it can only check for group membership in the Active Directory domain defined in "ldap_ad" in the ldap module. It cannot verify group membership in other domains. Hopefully I'm wrong... but days of googling didn't turn out a solution.
I cannot find a way to make this requirement work (securely) in an Active Directory environment with multiple trusted domains. Let me explain. There are resources in my domain that I have to grant to users of my domain and to users in other trusted domains. These are *my* resources, so I have Active Directory groups in my domain to which I add users (I cannot have other admins in other domains grant this access).
There are some workarounds I found in the mailing list, but in my opinion they are not secure. For example, I can add additional entries in the ldap module for the other domains, but in order for the LDAP searches to work, the group in which users are being searched in would need to reside in the other domains, which are not under my control. The other admins could add anyone to those groups and this would compromise my resources.
In addition, if I did the above:
post-auth {
ldap_ad
if (ldap_ad-LDAP-Group == "VPNAccess2") {
update reply {
Class := "ou=IPICSPolicy;"
Reply-Message = "Welcome to Radio VPN Restricted ACL Access"
}
}
ldap_ad2
if (ldap_ad2-LDAP-Group == "VPNAccess2") {
update reply {
Class := "ou=IPICSPolicy;"
Reply-Message = "Welcome to Radio VPN Restricted ACL Access"
}
noop
}
I could have cases where the same username "smith" can exist in both domains. If the user "smith" in ldap_ad2 above authenticates, and they are not a member of the "VPNAccess2" group, while there happens to be a user "smith" in ldap_ad who is instead a member of "VPNAccess2", then the wrong user would be granted access.
Are there any solutions to my original question at the top, or am I trying to do something that is just not possible due to limitations of Active Directory (not a real LDAP server...) and the way LDAP searches work?
I apologize for the long question, but hopefully it will help others who may be having the same scenario.
Thanks,
Roberto
PLEASE NOTE: Florida has a very broad public records law (F. S. 119).
All e-mails to and from County Officials are kept as a public record.
Your e-mail communications, including your e-mail address may be
disclosed to the public and media at any time.
More information about the Freeradius-Users
mailing list