LDAP Post-Auth with computer names using eap-tls certs

Kevin Virk Kevin.Virk at faithlife.com
Wed Nov 28 22:39:54 CET 2018 

So ill give a brief summary of everything I have done so far. I have set a freeradius server to work with certs. I orignally had the certs named by user name but my company had decided that computer names was the way the wanted to go. So i changed the certs to hand out the sam account name of the computer. Previously the LDAP I had set up in post-auth was working with the username and works with the computer name as well however my company has decided that the ldap queries are to plentiful and would like to narrow them down. Let me backtrack for a second as this is important to the problem. LDAP is to be used to identify a user in a specific group and then authorize and put them into a vlan. Like I said this was all working with usernames and computer names. However because the AD is setup in a way that certain computer groups are nested in larger vlan groups I had to manually query for the lower level groups instead of the overarching vlan group because i needed the query to return computer names not more workstation groups. So here I am I have this query that works in ldp.exe 



(&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local))


This query returns computer names and works in ldp. Below are snippets from my conf files
ldap module conf

 user {
                #  Where to start searching in the tree for users
                base_dn = "${..base_dn}"

                #  Filter for user objects, should be specific enough
                #  to identify a single user object.
                #
                #  For Active Directory, you should use
                #  "samaccountname=" instead of "uid="
                #
                filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"

 group {
                #  Where to start searching in the tree for groups
                base_dn = "${..base_dn}"

                #  Filter for group objects, should match all available
                #  group objects a user might be a member of.
#               filter = '(objectClass=posixGroup)'

                # Search scope, may be 'base', 'one', sub' or 'children'
#               scope = 'sub'
                #  Attribute that uniquely identifies a group.
                #  Is used when converting group DNs to group
                #  names.
#               name_attribute = cn

                #  Filter to find group objects a user is a member of.
                #  That is, group objects with attributes that
                #  identify members (the inverse of membership_attribute).
                membership_filter = "(|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))"

                #  The attribute in user objects which contain the names
                #  or DNs of groups a user is a member of.
                #
                #  Unless a conversion between group name and group DN is
                #  needed, there's no requirement for the group objects
                #  referenced to actually exist.
                membership_attribute = 'member:1.2.840.113556.1.4.1941'

Default site

ldap query example

ldap
        if(LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"){
        update reply{
        &Tunnel-Type := "VLAN"
        &Tunnel-Medium-Type := "6"
        &Tunnel-Private-Group-Id := "103"
        }

Here is a snippet from the error in the debug output.
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Bind successful
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Bind successful
Mon Nov 26 23:53:09 2018 : Debug: (5)     User object found at DN "CN=ComputerName,OU=Computers,OU=Departments,DC=testDomain,DC=net"
Mon Nov 26 23:53:09 2018 : Debug: (5)     Checking for user in group objects
Mon Nov 26 23:53:09 2018 : Debug: (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: Parsed xlat tree:
Mon Nov 26 23:53:09 2018 : Debug: literal --> (|(&(objectClass=computer)(member=
Mon Nov 26 23:53:09 2018 : Debug: attribute --> LDAP-UserDN
Mon Nov 26 23:53:09 2018 : Debug: literal --> )))
Mon Nov 26 23:53:09 2018 : Debug: (5)       EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: (5)          --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))
Mon Nov 26 23:53:09 2018 : Debug: (5)       Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: (5)       Bind successful
Mon Nov 26 23:53:09 2018 : Debug: (5)       Performing search in "CN=VLAN,OU=generalgroups,OU=Departments,DC=testDomain,DC=local" with filter "(|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))", scope "sub"
Mon Nov 26 23:53:09 2018 : Debug: (5)       Waiting for search result...
Mon Nov 26 23:53:09 2018 : Debug: (5)       Search returned no results
Mon Nov 26 23:53:09 2018 : Debug: (5)     Checking user object's member:1.2.840.113556.1.4.1941 attributes
Mon Nov 26 23:53:09 2018 : Debug: (5)       Performing unfiltered search in "CN=computerName,OU=computers,OU=Departments,DC=testDomain,DC=local", scope "base"
Mon Nov 26 23:53:09 2018 : Debug: (5)       Waiting for search result...
Mon Nov 26 23:53:09 2018 : Debug: (5)     No group membership attribute(s) found in user object
Mon Nov 26 23:53:09 2018 : Info: rlm_ldap (ldap): Deleting connection (5) - Was referred to a different LDAP server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap: Closing libldap handle 0x9cc450
Mon Nov 26 23:53:09 2018 : Info: Need 3 more connections to reach min connections (3)
Mon Nov 26 23:53:09 2018 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots used
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Connecting to ldap://server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): New libldap handle 0x9cc450
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Bind successful
Mon Nov 26 23:53:09 2018 : Debug: (5)     User is not a member of "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"
Mon Nov 26 23:53:09 2018 : Debug: (5)     if (LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local") -> FALSE

I am sure that my syntax is wrong somewhere, maybe the ldap-group part in the ldap query? I would like to point out that it does find the group when switch the object class to group from computer but only in the sub groups and not the larger group. Any help would be greatly appreciated

More information about the Freeradius-Users mailing list