group membership on LDAP/AD servers
Stefano Cailotto [EDALab]
stefano.cailotto at edalab.it
Thu Jul 25 11:29:43 CEST 2019
Hello,
I'm configuring a server that is connected to a 389ds (ldap) server and to an AD
server for authentication and authorization (on AD, authentication is performed
through ntlm_auth and authorization, i.e.group membership checking, through ldap
protocol)
Authentication is made forcing Auth-Type according to User-Name in the authorize
section through a regex
if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
update control {
Auth-Type := ntlm_auth
}
}
else{
update control {
Auth-Type := ldap
}
}
and it works, as i can authenticate user scailotto on 389ds and stefano.cailotto
on AD with ntlm_auth.
Authorization too works flawlessly if In the authorize section I use only one
kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for
stefano.cailotto)
The main problem arises when radius tries to match group membership for the
user, as it always points to AD server.
I tried to play with group statements to force using both servers, but with no
success.
If I understand well debug info, the query is performed starting from the
"files" module: the users files contains statements like
DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac"
Juniper-Local-User-Name="level15", Unisphere-Alternate-Cli-Access-Level="15"
and so a match between user and groups must be made.
My default file is as follows:
authorize {
preprocess
auth_log
if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
update control {
Auth-Type := ntlm_auth
}
}
else{
update control {
Auth-Type := ldap
}
}
group {
ldap1{
fail=1
notfound=1
}
ad_corporate_1{
fail=1
notfound=1
}
}
files
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
unix
Auth-Type ldap {
redundant {
ldap1
ldap2
}
}
Auth-Type ntlm_auth {
ntlm_auth
}
eap
}
.
.
.
So, my question is: is there a way to force querying a specific server,
according to Auth-Type or User-Name?i.e.
User-Name = scailotto -> Auth-Type = ldap -> search group membership on ldap1
User-Name = stefano.cailotto -> Auth-Type = ntlm_auth -> search group membership
on ad_corporate_1 (using ldap protocol)
I suppose it should somehow be forced in the users files, but can't figure out
how...
TIA,
Stefano
--
Stefano Cailotto
---------------------------------------------------------------------------
EDALab s.r.l. - Networked Embedded Systems
Sede operativa:
Via ca Nova Zampieri, 12, 37057 San Giovanni Lupatoto (VR) - Italy
Sede legale:
Cà Vignal 2, Strada Le Grazie, 15, 37134 Verona - Italy
C.F./P.IVA/Iscr. Reg. Imprese di Verona n. 03706250234
Numero REA: VR - 358813
Capitale sociale: 10.000 euro
---------------------------------------------------------------------------
email: stefano.cailotto at edalab.it
web: http://www.edalab.it | https://www.box-io.com
skype: stefano.cailotto
tel: +39-045-257-0357
mobile: +39-391-731-0244
---------------------------------------------------------------------------
More information about the Freeradius-Users
mailing list