LDAP group authentication
Jake L.
jake_homs at yahoo.com
Fri Jul 21 20:53:38 CEST 2017
Thanks again Bogdan and sorry for my long delay on this. If you or anyone else can assist in our question below that would be awesome. Just getting back to it with my co-workers and we are running into the following issue. We've set it up using your examples below, but it says it's unable to find the user via ldap. When we disable checking via the "memberOf" method, it is able to find the user. The part I may have wrong is the commented out section inside of the ldap stanza underneath 'update'. However, anything I uncommented there failed to work. Any thoughts? Here are our tests and setups:
If anyone has any suggestions, please let me know (or if you need more details!). Much thanks!!
Testing using radtest (on the same machine running radiusd -X):
[root at radius-server ~]# radtest "intopstest" 'testing123' localhost 2 'secret'
Sending Access-Request Id 139 from 0.0.0.0:45099 to 127.0.0.1:1812
User-Name = 'intopstest'
User-Password = 'testing123'
NAS-IP-Address = 100.64.67.30
NAS-Port = 2
Message-Authenticator = 0x00
Received Access-Reject Id 139 from 127.0.0.1:1812 to 127.0.0.1:45099 length 20
(0) -: Expected Access-Accept got Access-Reject
LOG ERROR using radiusd -X:
(snipped for readability)
(0) ldap : EXPAND (|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=netops_radius,cn=groups,cn=accounts,dc=example,dc=com)))
(0) ldap : --> (|(&(uid=intopstest)(memberOf=cn=netops_radius,cn=groups,cn=accounts,dc=example,dc=com)))
(0) ldap : EXPAND cn=users,cn=accounts,dc=example,dc=com
(0) ldap : --> cn=users,cn=accounts,dc=example,dc=com
(0) ldap : Performing search in 'cn=users,cn=accounts,dc=example,dc=com' with filter '(|(&(uid=intopstest)(memberOf=cn=netops_radius,cn=groups,cn=accounts,dc=example,dc=com)))', scope 'sub'
(0) ldap : Waiting for search result...
(0) ldap : Search returned no results
rlm_ldap (ldap): Released connection (4)
(0) [ldap] = notfound
(0) if ((ok || updated) && User-Password)
(0) if ((ok || updated) && User-Password) -> FALSE
(0) [expiration] = noop
(0) [logintime] = noop
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
/etc/radiusd/mods-available/ldap:
(snipped for readability)
ldap {
server = "ldap.lxi.example.com"
port = 389
identity = "uid=svc_ovirt,cn=users,cn=accounts,dc=example,dc=com"
password = "password"
base_dn = "cn=users,cn=accounts,dc=example,dc=com"
rad_group = "cn=netops_radius,cn=groups,cn=accounts,dc=example,dc=com"
sasl {
}
update {
control:Password-With-Header += 'userPassword'
# control:NT-Password := 'ntPassword'
# reply:Reply-Message := 'radiusReplyMessage'
# reply:Tunnel-Type := 'radiusTunnelType'
# reply:Tunnel-Medium-Type := 'radiusTunnelMediumType'
# reply:Tunnel-Private-Group-ID := 'radiusTunnelPrivategroupId'
# control: += 'radiusCheckAttributes'
# reply: += 'radiusReplyAttributes'
}
user {
base_dn = "${..base_dn}"
filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..rad_group})))"
sasl {
}
# Search scope, may be 'base', 'one', sub' or 'children'
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = "(objectClass=posixGroup)"
memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
}
.....
Thank you,
Jake
--------------------------------------------
On Wed, 6/28/17, Bogdan Rudas via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
Subject: Re: LDAP group authentication
To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
Date: Wednesday, June 28, 2017, 3:23 AM
Hi,
Something like this:
ldap {
server =
'ldap.int'
identity =
'cn=raidus-ro,ou=users,dc=company,dc=int'
password = '12345'
base_dn =
'ou=users,dc=company,dc=int'
ldapgroup =
'cn=WiFi,ou=group,dc=company,dc=int'
sasl {
}
update {
control:Password-With-Header +=
'userPassword'
control: +=
'radiusControlAttribute'
request: +=
'radiusRequestAttribute'
reply: +=
'radiusReplyAttribute'
}
user {
base_dn =
"${..base_dn}"
filter =
"(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))"
sasl
{
}
}
...... cut here...
On Tue, Jun 27, 2017 at 6:53 PM, Jake L. <jake_homs at yahoo.com>
wrote:
> Hi Bogdan,
> Thank you for the information. This
looks like a good method for us as
>
well. Are you setting up the 'ldapgroup' inside the
group section of the
> ldap module? If
so, can you show me the stanza you're using? Thank
you!
>
>
> On Tuesday, June 27, 2017 1:20 AM, Bogdan
Rudas via Freeradius-Users <
> freeradius-users at lists.freeradius.org>
wrote:
>
>
> Hi Jake,
>
> We are useing *memberOf* in filter of
"user { }" section in
>
*/etc/freeradius/mods-available/ldap*
>
> user {
> base_dn =
"${..base_dn}"
>
> filter =
>
"(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(
> memberOf=${..ldapgroup})))"
>
>
sasl {
> }
> }
>
> I suspect FreeIPA have similar attribute
for reverse group membership
>
lookups.
>
> On Tue,
Jun 27, 2017 at 1:36 AM, Jake L. via Freeradius-Users
<
> freeradius-users at lists.freeradius.org>
wrote:
>
> > Hello
- I successfully got our Freeradius server to authenticate
against
> > our FreeIPA LDAP
environment, allowing user access. Currently, all users
> in
> > here will be
granted successful access. However, I'm having
trouble
> trying
>
> to identify what to setup to get only a single group in
our FreeIPA
> > environment allowed to
authenticate while all other groups are denied.
> In a
> > nutshell, I
want to only allow the "network-team" group
authenticated
> > access via the
Freeradius server, and any/all other groups to be denied.
> In
> > my wiki and
google searches, I've found reference to
> "group_authorization",
> > but I can't find that module in
the policy.d or mods-available folder.
>
> Also, I've seen the reference to huntgroups, but
only when queried
> against
> > SQL, which shouldn't be needed in
my case. Can anyone point me in the
>
right
> > direction to get this
working?
> > TL;DR = Need info on
setting up Freeradius authentication to LDAP only
> for
> > a specific
group, denying all other groups.
> >
Thank you!Jake
> > -
> > List info/subscribe/unsubscribe? See
http://www.freeradius.org/
> > list/users.html
>
>
>
>
>
--
> Bogdan Rudas
>
Director of IT offshore
> Exadel Inc.
> http://www.exadel.com/
> E-mail: brudas at exadel.com
> Skype ID: bogdan.rudas
>
> --
>
>
>
CONFIDENTIALITY NOTICE: This email and files attached to it
are
> confidential. If you are not the
intended recipient you are hereby
>
notified
> that using, copying,
distributing or taking any action in reliance on the
> contents of this information is strictly
prohibited. If you have received
> this
email in error please notify the sender and delete this
email.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
>
>
--
Bogdan
Rudas
Director of IT offshore
Exadel Inc.
http://www.exadel.com/
E-mail: brudas at exadel.com
Skype ID: bogdan.rudas
--
CONFIDENTIALITY NOTICE: This email and files
attached to it are
confidential. If you are
not the intended recipient you are hereby notified
that using, copying, distributing or taking any
action in reliance on the
contents of this
information is strictly prohibited. If you have received
this email in error please notify the sender
and delete this email.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list