Active directory integration and grant access base on AD group membership

Luc Paulin paulinster at gmail.com
Wed Feb 15 18:15:07 CET 2017 

Ok thanx for your reply .. I think that I now start to better understand
how the this work..  So policies need/can be written within the auth so we
can reject request base on the person's group membership and huntgroup ..

So base on this I made this simple switch case that I added to the
authorize section after the ldap module

switch Huntgroup-Name {
  case "wireless1" {
    if (Ldap-Group != "admin-galaxie") {
      reject
    }
  }
  case "wireless2"{
    if (Ldap-Group != "devopsusers") {
      reject
    }
  }
  case {
    reject
  }
}

However when I test I dont seem to be getting the expecting result.

++[pap] = noop
++switch Huntgroup-Name {
++switch Huntgroup-Name {
+++case wireless2 {
++++? if (Ldap-Group != "devopsusers")
  [ldap] Entering ldap_groupcmp()
expand: DC=corp,DC=stingraydigital,DC=com ->
DC=corp,DC=stingraydigital,DC=com
expand:
(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn}))
-> (&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc
Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in DC=corp,DC=stingraydigital,DC=com, with
filter
(&(cn=devopsusers)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc
Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom)))
*rlm_ldap::ldap_groupcmp: User found in group devopsusers*
  [ldap] ldap_release_conn: Release Id: 0
*? Evaluating (Ldap-Group != "devopsusers") -> TRUE*
*++++? if (Ldap-Group != "devopsusers") -> TRUE*
++++if (Ldap-Group != "devopsusers") {
+++++[reject] = reject
++++} # if (Ldap-Group != "devopsusers") = reject
+++} # case wireless2 = reject
++} # switch Huntgroup-Name = reject
+} # group authorize = reject

Look like the Ldap-Group did found that the user is member of the
devopsuser group, which is correct, however, when I do the negative compare
(!=) it also return true.  I have also tried with "=="  got the exact same
result,

++[pap] = noop
++switch Huntgroup-Name {
++switch Huntgroup-Name {
+++case wireless2 {
++++? if (Ldap-Group == "devopsusers")
  [ldap] Entering ldap_groupcmp()
expand: DC=corp,DC=stingraydigital,DC=com ->
DC=corp,DC=stingraydigital,DC=com
expand:
(&(objectClass=Group)(objectCategory=Group)(member=%{control:Ldap-UserDn}))
-> (&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc
Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in DC=corp,DC=stingraydigital,DC=com, with
filter
(&(cn=devopsusers)(&(objectClass=Group)(objectCategory=Group)(member=CN\3dLuc
Paulin\2cOU\3dInfrastructure\2cOU\3dIT\2cDC\3dcorp\2cDC\3dstingraydigital\2cDC\3dcom)))
*rlm_ldap::ldap_groupcmp: User found in group devopsusers*
  [ldap] ldap_release_conn: Release Id: 0
*? Evaluating (Ldap-Group == "devopsusers") -> TRUE*
*++++? if (Ldap-Group == "devopsusers") -> TRUE*
++++if (Ldap-Group == "devopsusers") {
+++++[reject] = reject
++++} # if (Ldap-Group == "devopsusers") = reject
+++} # case wireless2 = reject
++} # switch Huntgroup-Name = reject
+} # group authorize = reject


Thanx for you help





--
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
   Luc Paulin
   email: paulinster(at)gmail.com
   Skype: paulinster


2017-02-14 12:03 GMT-05:00 Alan DeKok <aland at deployingradius.com>:

> On Feb 14, 2017, at 11:57 AM, Luc Paulin <paulinster at gmail.com> wrote:
> >
> > Thanx Matthew,
> > I already had a look at that url but look like it doesn't work.
>
>   It works if you follow the documentation.
>
> > must be
> > something I am not doing right .. but unsure what ..
> >
> > I have create a huntgroup which look like this ..
> >
> > wireless         NAS-IP-Address == 10.1.0.81
> >
> > and my users file only has the following line in it ..
> >
> > DEFAULT    Ldap-Group == "admin-galaxie", Huntgroup-Name == "wireless"
> >
> > So my understand is that users that aren't member of the wireless-users
> > group shouldn't be granted access to the wireless network/device. But
> that
> > isn't what happenning .. everyone is granted access
>
>   That's not how the "users" file works.  Please read the documentation to
> see how it works.
>
>   That DEFAULT entry just checks if the LDAP-Group and Huntgroup-Name
> match.  It doesn't *do* anything if they match, or if they don't match.
>
>   You should write your policies in "unlang".  It's clearer:
>
> authorize {
>         ...
>
>         # check only the first packet of EAP, and all non-EAP
>         if (!&EAP-Message || !State) {
>                 if ((Huntgroup-Name == "wireless") && (Ldap-Group !=
> "admin-galaxies")) {
>                         reject
>                 }
>         }
>
>   It's *much* easier to write clear if / then / else statements, instead
> of relying on your assumption about how the "users" file works.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list