Authenticating users on LDAP based on Group name
Jose Torres-Berrocal
jetsystemservices at gmail.com
Tue Apr 21 06:17:28 CEST 2015
I forgot to include my last conf files.
###########################################################
ldap.conf:
###########################################################
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "jetsms-srv2003.jetdom.local"
port = "389"
identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
password = Tramontane10520
basedn = "cn=Users,dc=jetdom,dc=local"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=*)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
# failures) default: 10
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/
certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the certificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
require_cert = "never"
}
### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###
### profile_attribute = "radiusProfileDn" ###
### access_attr = "dialupAccess" ###
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
################## THE BELOW IS NOT COMPILED WITH FREERADIUS
#################################
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
#
https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
# password_attribute = userPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
################## THE ABOVE IS NOT COMPILED WITH FREERADIUS
#################################
#
# Group membership checking. Disabled by default.
#
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
compare_check_items = no
do_xlat = yes
access_attr_used_for_allow = yes
#
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
### MS Active Directory Compatibility is disabled ###
#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
#
# Keepalive configuration. This MAY NOT be supported by your
# LDAP library. If these configuration entries appear in the
# output of "radiusd -X", then they are supported. Otherwise,
# they are unsupported, and changing them will do nothing.
#
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
##################################################
Users.conf:
##################################################
/usr/pbi/freeradius-i386/etc/raddb/users
"test" Cleartext-Password := "squidtest"
DEFAULT Ldap-Group == "InternetAccess", Auth-Type := Accept
DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject
On Tue, Apr 21, 2015 at 12:07 AM, Jose Torres-Berrocal <
jetsystemservices at gmail.com> wrote:
> I noticed that my problem is that when using group options I get
> authorized successfully but does not get authenticated (Using Compare Check
> Items = No results in Access-Accept). When not using group options I get
> authorized and authenticated succesfully.
>
> Is there a way to do a two pass process? If I could run the first pass
> without group options and the second pass if authenticated run with group
> options, I will get my desired result.
>
> By the way I found how to run in debug mode in pfsense and do some custome
> changes in the Users.conf file.
>
> On Wed, Mar 25, 2015 at 2:24 PM, Jose Torres-Berrocal <
> jetsystemservices at gmail.com> wrote:
>
>> I am using the Freeradius2 2.1.12_1/2.2.5_3 pkg v1.6.10 in pfsense 2.1.5
>>
>> I can't modify the conf files manually. I have to use the pfsense WebGui.
>>
>> I could authenticate the users of the LDAP succesfully but when I try to
>> authenticate using group membership options it fails with the following
>> logs.
>>
>> Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default>
>> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests.
>> Wed Mar 25 13:39:27 2015 : Auth: Invalid user ( [ldap] Pairs do not
>> match): [administrator] (from client squid port 111)
>> Wed Mar 25 13:39:33 2015 : Auth: Invalid user ( [ldap] Pairs do not
>> match): [administrator] (from client squid port 111)
>> Wed Mar 25 13:39:34 2015 : Auth: Invalid user ( [ldap] Pairs do not
>> match): [administrator] (from client squid port 111)
>>
>> On pfsense I do not see an option to run in debug mode, but probably you
>> can help me with the pfsense produced ldap conf file. I do not use fancy
>> stuff. After I get it working I may try to add TLS configuration to have
>> encrypted comm or passwords.
>>
>> The LDAP is an Active Directory on a Windows 2003 Server.
>> The group name is InternetAccess. (Is this case sensitive?)
>> I do not have a radiusprofile, where there is mention of radiusprofile is
>> a default generated line. (In pfsense I may change the line but can not
>> removed it or comment it.)
>>
>> LDAP CONF:
>>
>> /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
>> # -*- text -*-
>> #
>> # $
>>
>> # Lightweight Directory Access Protocol (LDAP)
>> #
>> # This module definition allows you to use LDAP for
>> # authorization and authentication.
>> #
>> # See raddb/sites-available/default for reference to the
>> # ldap module in the authorize and authenticate sections.
>> #
>> # However, LDAP can be used for authentication ONLY when the
>> # Access-Request packet contains a clear-text User-Password
>> # attribute. LDAP authentication will NOT work for any other
>> # authentication method.
>> #
>> # This means that LDAP servers don't understand EAP. If you
>> # force "Auth-Type = LDAP", and then send the server a
>> # request containing EAP authentication, then authentication
>> # WILL NOT WORK.
>> #
>> # The solution is to use the default configuration, which does
>> # work.
>> #
>> # Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
>> # really can't emphasize this enough.
>> #
>> ldap {
>> #
>> # Note that this needs to match the name in the LDAP
>> # server certificate, if you're using ldaps.
>> server = "jetsms-srv2003.jetdom.local"
>> port = "389"
>> identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
>> password = Mypassword
>> basedn = "cn=Users,dc=jetdom,dc=local"
>> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>> base_filter = "(objectclass=radiusprofile)"
>>
>> # How many connections to keep open to the LDAP server.
>> # This saves time over opening a new LDAP socket for
>> # every authentication request.
>> ldap_connections_number = 5
>>
>> # seconds to wait for LDAP query to finish. default: 20
>> timeout = 4
>>
>> # seconds LDAP server has to process the query (server-side
>> # time limit). default: 20
>> #
>> # LDAP_OPT_TIMELIMIT is set to this value.
>> timelimit = 3
>>
>> #
>> # seconds to wait for response of the server. (network
>> # failures) default: 10
>> #
>> # LDAP_OPT_NETWORK_TIMEOUT is set to this value.
>> net_timeout = 1
>>
>> #
>> # This subsection configures the tls related items
>> # that control how FreeRADIUS connects to an LDAP
>> # server. It contains all of the "tls_*" configuration
>> # entries used in older versions of FreeRADIUS. Those
>> # configuration entries can still be used, but we recommend
>> # using these.
>> #
>> tls {
>> # Set this to 'yes' to use TLS encrypted connections
>> # to the LDAP database by using the StartTLS extended
>> # operation.
>> #
>> # The StartTLS operation is supposed to be
>> # used with normal ldap connections instead of
>> # using ldaps (port 689) connections
>> start_tls = no
>>
>> cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
>> cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/
>> certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
>> keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
>> randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
>>
>> # Certificate Verification requirements. Can be:
>> # "never" (don't even bother trying)
>> # "allow" (try, but don't fail if the certificate
>> # can't be verified)
>> # "demand" (fail if the certificate doesn't verify.)
>> #
>> # The default is "allow"
>> require_cert = "never"
>> }
>>
>> ### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###
>> ### profile_attribute = "radiusProfileDn" ###
>> ### access_attr = "dialupAccess" ###
>>
>> # Mapping of RADIUS dictionary attributes to LDAP
>> # directory attributes.
>> dictionary_mapping = ${confdir}/ldap.attrmap
>> ################## THE BELOW IS NOT COMPILED WITH FREERADIUS
>> #################################
>> # Set password_attribute = nspmPassword to get the
>> # user's password from a Novell eDirectory
>> # backend. This will work ONLY IF FreeRADIUS has been
>> # built with the --with-edir configure option.
>> #
>> # See also the following links:
>> #
>> # http://www.novell.com/coolsolutions/appnote/16745.html
>> #
>> https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
>> #
>> # Novell may require TLS encrypted sessions before returning
>> # the user's password.
>> #
>> # password_attribute = userPassword
>>
>> # Un-comment the following to disable Novell
>> # eDirectory account policy check and intruder
>> # detection. This will work *only if* FreeRADIUS is
>> # configured to build with --with-edir option.
>> #
>> edir_account_policy_check = no
>> ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS
>> #################################
>> #
>> # Group membership checking. Disabled by default.
>> #
>> groupname_attribute = cn
>> groupmembership_filter =
>> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
>> groupmembership_attribute = InternetAccess
>>
>> compare_check_items = yes
>> do_xlat = yes
>> access_attr_used_for_allow = yes
>>
>> #
>> # The following two configuration items are for Active Directory
>> # compatibility. If you see the helpful "operations error"
>> # being returned to the LDAP module, uncomment the next
>> # two lines.
>> #
>>
>> ### MS Active Directory Compatibility is disabled ###
>>
>> #
>> # By default, if the packet contains a User-Password,
>> # and no other module is configured to handle the
>> # authentication, the LDAP module sets itself to do
>> # LDAP bind for authentication.
>> #
>> # THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
>> #
>> # THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
>> #
>> # You can disable this behavior by setting the following
>> # configuration entry to "no".
>> #
>> # allowed values: {no, yes}
>> # set_auth_type = yes
>>
>> # ldap_debug: debug flag for LDAP SDK
>> # (see OpenLDAP documentation). Set this to enable
>> # huge amounts of LDAP debugging on the screen.
>> # You should only use this if you are an LDAP expert.
>> #
>> # default: 0x0000 (no debugging messages)
>> # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
>> #ldap_debug = 0x0028
>>
>> #
>> # Keepalive configuration. This MAY NOT be supported by your
>> # LDAP library. If these configuration entries appear in the
>> # output of "radiusd -X", then they are supported. Otherwise,
>> # they are unsupported, and changing them will do nothing.
>> #
>> keepalive {
>> # LDAP_OPT_X_KEEPALIVE_IDLE
>> idle = 60
>>
>> # LDAP_OPT_X_KEEPALIVE_PROBES
>> probes = 3
>>
>> # LDAP_OPT_X_KEEPALIVE_INTERVAL
>> interval = 3
>> }
>> }
>>
>
>
More information about the Freeradius-Users
mailing list