group membership on LDAP/AD servers

Stefano Cailotto [EDALab] stefano.cailotto at edalab.it
Thu Jul 25 11:29:43 CEST 2019


Hello,

I'm configuring a server that is connected to a 389ds (ldap) server and to an AD 
server for authentication and authorization (on AD, authentication is performed 
through ntlm_auth and authorization, i.e.group membership checking, through ldap 
protocol)

Authentication is made forcing Auth-Type according to User-Name in the authorize 
section through a regex

     if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
         update control {
             Auth-Type := ntlm_auth
         }
     }
     else{
         update control {
             Auth-Type := ldap
         }
     }


and it works, as i can authenticate user scailotto on 389ds and stefano.cailotto 
on AD with ntlm_auth.

Authorization too works flawlessly if In the authorize section I use only one 
kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for 
stefano.cailotto)

The main problem arises when radius tries to match group membership for the 
user, as it always points to AD server.

I tried to play with group statements to force using both servers, but with no 
success.

If I understand well debug info, the query is performed starting from the 
"files" module: the users files contains statements like

DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac"
     Juniper-Local-User-Name="level15", Unisphere-Alternate-Cli-Access-Level="15"

and so a match between user and groups must be made.

My default file is as follows:

authorize {
         preprocess
         auth_log
         if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
             update control {
                 Auth-Type := ntlm_auth
             }
         }
         else{
             update control {
                 Auth-Type := ldap
             }
         }

         group {
         ldap1{
             fail=1
             notfound=1
         }

         ad_corporate_1{
             fail=1
             notfound=1
         }
     }
     files
         pap
}
authenticate {
         Auth-Type PAP {
                 pap
         }
         Auth-Type CHAP {
                 chap
         }
         Auth-Type MS-CHAP {
                 mschap
         }
         digest
         unix
         Auth-Type ldap {
                 redundant {
                         ldap1
                         ldap2
                 }
                 }
         Auth-Type ntlm_auth {
                 ntlm_auth
         }

         eap
}
.

.

.


So, my question is: is there a way to force querying a specific server, 
according to Auth-Type or User-Name?i.e.

User-Name = scailotto -> Auth-Type = ldap -> search group membership on ldap1

User-Name = stefano.cailotto -> Auth-Type = ntlm_auth -> search group membership 
on ad_corporate_1 (using ldap protocol)


I suppose it should somehow be forced in the users files, but can't figure out 
how...

TIA,

Stefano


-- 
  Stefano Cailotto
---------------------------------------------------------------------------
  EDALab s.r.l. - Networked Embedded Systems
  Sede operativa:
  Via ca Nova Zampieri, 12, 37057 San Giovanni Lupatoto (VR) - Italy
  Sede legale:
  Cà Vignal 2, Strada Le Grazie, 15, 37134 Verona - Italy
  C.F./P.IVA/Iscr. Reg. Imprese di Verona n.  03706250234
  Numero REA: VR - 358813
  Capitale sociale: 10.000 euro
---------------------------------------------------------------------------
  email:  stefano.cailotto at edalab.it
  web:    http://www.edalab.it | https://www.box-io.com
  skype:  stefano.cailotto
  tel:    +39-045-257-0357
  mobile: +39-391-731-0244
---------------------------------------------------------------------------



More information about the Freeradius-Users mailing list