Authenticating users on LDAP based on Group name

Jose Torres-Berrocal jetsystemservices at gmail.com
Tue Apr 21 06:17:28 CEST 2015


I forgot to include my last conf files.

###########################################################
ldap.conf:
###########################################################

ldap {
#
#  Note that this needs to match the name in the LDAP
#  server certificate, if you're using ldaps.
server = "jetsms-srv2003.jetdom.local"
port = "389"
identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
password = Tramontane10520
basedn = "cn=Users,dc=jetdom,dc=local"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=*)"

#  How many connections to keep open to the LDAP server.
#  This saves time over opening a new LDAP socket for
#  every authentication request.
ldap_connections_number = 5

# seconds to wait for LDAP query to finish. default: 20
timeout = 4

#  seconds LDAP server has to process the query (server-side
#  time limit). default: 20
#
#  LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3

#
#  seconds to wait for response of the server. (network
#   failures) default: 10
#
#  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1

#
#  This subsection configures the tls related items
#  that control how FreeRADIUS connects to an LDAP
#  server.  It contains all of the "tls_*" configuration
#  entries used in older versions of FreeRADIUS.  Those
#  configuration entries can still be used, but we recommend
#  using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no

cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/
certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random

#  Certificate Verification requirements.  Can be:
#    "never" (don't even bother trying)
#    "allow" (try, but don't fail if the certificate
# can't be verified)
#    "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
require_cert = "never"
}

### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###
### profile_attribute = "radiusProfileDn" ###
### access_attr = "dialupAccess" ###

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
################## THE BELOW IS NOT COMPILED WITH FREERADIUS
#################################
#  Set password_attribute = nspmPassword to get the
#  user's password from a Novell eDirectory
#  backend. This will work ONLY IF FreeRADIUS has been
#  built with the --with-edir configure option.
#
#  See also the following links:
#
#  http://www.novell.com/coolsolutions/appnote/16745.html
#
https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
#  Novell may require TLS encrypted sessions before returning
#  the user's password.
#
# password_attribute = userPassword

#  Un-comment the following to disable Novell
#  eDirectory account policy check and intruder
#  detection. This will work *only if* FreeRADIUS is
#  configured to build with --with-edir option.
#
edir_account_policy_check = no
################## THE ABOVE IS NOT COMPILED WITH FREERADIUS
#################################
#
#  Group membership checking.  Disabled by default.
#
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf

compare_check_items = no
do_xlat = yes
access_attr_used_for_allow = yes

#
#  The following two configuration items are for Active Directory
#  compatibility.  If you see the helpful "operations error"
#  being returned to the LDAP module, uncomment the next
#  two lines.
#

### MS Active Directory Compatibility is disabled ###

#
#  By default, if the packet contains a User-Password,
#  and no other module is configured to handle the
#  authentication, the LDAP module sets itself to do
#  LDAP bind for authentication.
#
#  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
#  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
#  You can disable this behavior by setting the following
#  configuration entry to "no".
#
#  allowed values: {no, yes}
# set_auth_type = yes

#  ldap_debug: debug flag for LDAP SDK
#  (see OpenLDAP documentation).  Set this to enable
#  huge amounts of LDAP debugging on the screen.
#  You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028

#
#  Keepalive configuration.  This MAY NOT be supported by your
#  LDAP library.  If these configuration entries appear in the
#  output of "radiusd -X", then they are supported.  Otherwise,
#  they are unsupported, and changing them will do nothing.
#
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60

# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3

# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}


##################################################
Users.conf:
##################################################

/usr/pbi/freeradius-i386/etc/raddb/users

"test" Cleartext-Password := "squidtest"

DEFAULT Ldap-Group == "InternetAccess", Auth-Type := Accept
DEFAULT Ldap-Group != "InternetAccess", Auth-Type := Reject

On Tue, Apr 21, 2015 at 12:07 AM, Jose Torres-Berrocal <
jetsystemservices at gmail.com> wrote:

> I noticed that my problem is that when using group options I get
> authorized successfully but does not get authenticated (Using Compare Check
> Items = No results in Access-Accept). When not using group options I get
> authorized and authenticated succesfully.
>
> Is there a way to do a two pass process?  If I could run the first pass
> without group options and the second pass if authenticated run with group
> options, I will get my desired result.
>
> By the way I found how to run in debug mode in pfsense and do some custome
> changes in the Users.conf file.
>
> On Wed, Mar 25, 2015 at 2:24 PM, Jose Torres-Berrocal <
> jetsystemservices at gmail.com> wrote:
>
>> I am using the Freeradius2 2.1.12_1/2.2.5_3 pkg v1.6.10 in pfsense 2.1.5
>>
>> I can't modify the conf files manually.  I have to use the pfsense WebGui.
>>
>> I could authenticate the users of the LDAP succesfully but when I try to
>> authenticate using group membership options it fails with the following
>> logs.
>>
>> Wed Mar 25 13:39:09 2015 : Info: Loaded virtual server <default>
>> Wed Mar 25 13:39:09 2015 : Info: Ready to process requests.
>> Wed Mar 25 13:39:27 2015 : Auth: Invalid user (  [ldap] Pairs do not
>> match): [administrator] (from client squid port 111)
>> Wed Mar 25 13:39:33 2015 : Auth: Invalid user (  [ldap] Pairs do not
>> match): [administrator] (from client squid port 111)
>> Wed Mar 25 13:39:34 2015 : Auth: Invalid user (  [ldap] Pairs do not
>> match): [administrator] (from client squid port 111)
>>
>> On pfsense I do not see an option to run in debug mode, but probably you
>> can help me with the pfsense produced ldap conf file.  I do not use fancy
>> stuff. After I get it working I may try to add TLS configuration to have
>> encrypted comm or passwords.
>>
>> The LDAP is an Active Directory on a Windows 2003 Server.
>> The group name is InternetAccess.  (Is this case sensitive?)
>> I do not have a radiusprofile, where there is mention of radiusprofile is
>> a default generated line.  (In pfsense I may change the line but can not
>> removed it or comment it.)
>>
>> LDAP CONF:
>>
>> /usr/pbi/freeradius-i386/etc/raddb/modules/ldap
>> # -*- text -*-
>> #
>> #  $
>>
>> # Lightweight Directory Access Protocol (LDAP)
>> #
>> #  This module definition allows you to use LDAP for
>> #  authorization and authentication.
>> #
>> #  See raddb/sites-available/default for reference to the
>> #  ldap module in the authorize and authenticate sections.
>> #
>> #  However, LDAP can be used for authentication ONLY when the
>> #  Access-Request packet contains a clear-text User-Password
>> #  attribute.  LDAP authentication will NOT work for any other
>> #  authentication method.
>> #
>> #  This means that LDAP servers don't understand EAP.  If you
>> #  force "Auth-Type = LDAP", and then send the server a
>> #  request containing EAP authentication, then authentication
>> #  WILL NOT WORK.
>> #
>> #  The solution is to use the default configuration, which does
>> #  work.
>> #
>> #  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
>> #  really can't emphasize this enough.
>> #
>> ldap {
>> #
>> #  Note that this needs to match the name in the LDAP
>> #  server certificate, if you're using ldaps.
>> server = "jetsms-srv2003.jetdom.local"
>> port = "389"
>> identity = "cn=pfsense,cn=Users,dc=jetdom,dc=local"
>> password = Mypassword
>> basedn = "cn=Users,dc=jetdom,dc=local"
>> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>> base_filter = "(objectclass=radiusprofile)"
>>
>> #  How many connections to keep open to the LDAP server.
>> #  This saves time over opening a new LDAP socket for
>> #  every authentication request.
>> ldap_connections_number = 5
>>
>> # seconds to wait for LDAP query to finish. default: 20
>> timeout = 4
>>
>> #  seconds LDAP server has to process the query (server-side
>> #  time limit). default: 20
>> #
>> #  LDAP_OPT_TIMELIMIT is set to this value.
>> timelimit = 3
>>
>> #
>> #  seconds to wait for response of the server. (network
>> #   failures) default: 10
>> #
>> #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
>> net_timeout = 1
>>
>> #
>> #  This subsection configures the tls related items
>> #  that control how FreeRADIUS connects to an LDAP
>> #  server.  It contains all of the "tls_*" configuration
>> #  entries used in older versions of FreeRADIUS.  Those
>> #  configuration entries can still be used, but we recommend
>> #  using these.
>> #
>> tls {
>> # Set this to 'yes' to use TLS encrypted connections
>> # to the LDAP database by using the StartTLS extended
>> # operation.
>> #
>> # The StartTLS operation is supposed to be
>> # used with normal ldap connections instead of
>> # using ldaps (port 689) connections
>> start_tls = no
>>
>> cacertfile = /usr/pbi/freeradius-i386/etc/raddb/certs/ca_ldap1_cert.pem
>> cacertdir = /usr/pbi/freeradius-i386/etc/raddb/certs/
>> certfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.crt
>> keyfile = /usr/pbi/freeradius-i386/etc/raddb/certs/radius_ldap1_cert.key
>> randfile = /usr/pbi/freeradius-i386/etc/raddb/certs/random
>>
>> #  Certificate Verification requirements.  Can be:
>> #    "never" (don't even bother trying)
>> #    "allow" (try, but don't fail if the certificate
>> # can't be verified)
>> #    "demand" (fail if the certificate doesn't verify.)
>> #
>> # The default is "allow"
>> require_cert = "never"
>> }
>>
>> ### default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" ###
>> ### profile_attribute = "radiusProfileDn" ###
>> ### access_attr = "dialupAccess" ###
>>
>> # Mapping of RADIUS dictionary attributes to LDAP
>> # directory attributes.
>> dictionary_mapping = ${confdir}/ldap.attrmap
>> ################## THE BELOW IS NOT COMPILED WITH FREERADIUS
>> #################################
>> #  Set password_attribute = nspmPassword to get the
>> #  user's password from a Novell eDirectory
>> #  backend. This will work ONLY IF FreeRADIUS has been
>> #  built with the --with-edir configure option.
>> #
>> #  See also the following links:
>> #
>> #  http://www.novell.com/coolsolutions/appnote/16745.html
>> #
>> https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
>> #
>> #  Novell may require TLS encrypted sessions before returning
>> #  the user's password.
>> #
>> # password_attribute = userPassword
>>
>> #  Un-comment the following to disable Novell
>> #  eDirectory account policy check and intruder
>> #  detection. This will work *only if* FreeRADIUS is
>> #  configured to build with --with-edir option.
>> #
>> edir_account_policy_check = no
>> ################## THE ABOVE IS NOT COMPILED WITH FREERADIUS
>> #################################
>> #
>> #  Group membership checking.  Disabled by default.
>> #
>> groupname_attribute = cn
>> groupmembership_filter =
>> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
>> groupmembership_attribute = InternetAccess
>>
>> compare_check_items = yes
>> do_xlat = yes
>> access_attr_used_for_allow = yes
>>
>> #
>> #  The following two configuration items are for Active Directory
>> #  compatibility.  If you see the helpful "operations error"
>> #  being returned to the LDAP module, uncomment the next
>> #  two lines.
>> #
>>
>> ### MS Active Directory Compatibility is disabled ###
>>
>> #
>> #  By default, if the packet contains a User-Password,
>> #  and no other module is configured to handle the
>> #  authentication, the LDAP module sets itself to do
>> #  LDAP bind for authentication.
>> #
>> #  THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
>> #
>> #  THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
>> #
>> #  You can disable this behavior by setting the following
>> #  configuration entry to "no".
>> #
>> #  allowed values: {no, yes}
>> # set_auth_type = yes
>>
>> #  ldap_debug: debug flag for LDAP SDK
>> #  (see OpenLDAP documentation).  Set this to enable
>> #  huge amounts of LDAP debugging on the screen.
>> #  You should only use this if you are an LDAP expert.
>> #
>> # default: 0x0000 (no debugging messages)
>> # Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
>> #ldap_debug = 0x0028
>>
>> #
>> #  Keepalive configuration.  This MAY NOT be supported by your
>> #  LDAP library.  If these configuration entries appear in the
>> #  output of "radiusd -X", then they are supported.  Otherwise,
>> #  they are unsupported, and changing them will do nothing.
>> #
>> keepalive {
>> # LDAP_OPT_X_KEEPALIVE_IDLE
>> idle = 60
>>
>> # LDAP_OPT_X_KEEPALIVE_PROBES
>> probes = 3
>>
>> # LDAP_OPT_X_KEEPALIVE_INTERVAL
>> interval = 3
>> }
>> }
>>
>
>


More information about the Freeradius-Users mailing list