FreeRadius with Google PAM - Hardcode LDAP Servers for rlm_ldap
Brandt Winchell
brandt.winchell at thinkon.com
Mon Aug 10 18:04:58 CEST 2020
Hello,
I have an issue which I am sure is easy to fix but I cannot find the correct file/setting. Let me explain:
Environment:
Active Directory - backend authentication. The AD environment is setup as a hub & spoke design. This means not all domain controllers (GC) are accessible from everywhere (by design & security)
Freeradius - CentOS7 server FreeRadius-3.0.13
Source Setup:
It is basically a setup following this site:
https://kb.hillstonenet.com/en/wp-content/uploads/2019/09/SSLVPN-Two-factor-Authentication-with-Google-Authenticator.pdf
Validations:
SSSD = Server joined to the domain fine. Can login to the local server with a domain account. ident tests resolve fine
DNS = hostname and any GC server resolves correctly
AD search results = **while in subnet80, works correctly**
Google Authenticator PAM = **while in subnet80, works correctly**
Issue:
When I have the FreeRadius server in subnet80 (172.16.80.0/24 hub site and can talk to any GC server), the configuration works fine. So I know the basic configurations are working as designed.
When I move the FreeRadius server into subnet 99 (172.16.99.0/24 restricted site that can only talk to 172.16.80.0/24), radius fails to get any results from GC servers. There is a firewall between these subnets.
I have configured the following files to specify which GC servers FreeRadius should use:
/etc/raddb/mods-available/ldap
ldap {
server = 'dc01.domain.local'
server = 'dc02.domain.local'
start_tls = no
port = 389
identity = 'CN=ad-read-account,DC=domain,DC=local'
password = 'xxxxxxx'
base_dn = 'DC=domain,DC=local'
/etc/sssd/sssd.conf
[sssd]
domains = domain.local
services = nss, pam
[domain/domain.local]
id_provider = ad
access_provider = ad
ad_server = dc01.domain.local
ad_backup_server = dc02.domain.local
krb5_realm = DOMAIN.LOCAL
krb5_server = dc01.domain.local
kerb5_backup_server = dc02.domain.local
ldap_uri = ldap://dc01.domain.local
/etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
DOMAIN.LOCAL = {
kdc = dc01.domain.local
kdc = dc02.domain.local
[domain_realm}
domain.local = DOMAIN.LOCAL
.domain.local = DOMAIN.LOCAL
When I run "radiusd -CX". I get an ready to process requests for configuration check.
When I run "radiusd -X", this is the where the process fails/hangs:
rlm_ldap (ldap): Connecting to ldap://dc01.domain.local:389 ldap://dc02.domain.local:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (5)
(0) EXPAND (userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})
(0) --> (userPrincipalName=user1 at domain.local)
(0) Performing search in "DC=domain,DC=local" with filter "(userPrincipalName=user1 at domain.local)", scope "sub"
(0) Waiting for search result...
This will sit there until the LDAP search times out.
When I perform a packet capture during this time, what I see:
1 radius performs a DNS query for forestdnszones.domain.local SOA dc01.domain.local
2 dns server responds with records of ALL GC servers
3 radius then tries to connect to a GC server it does not have access to (due to the security restrictions)
Resolution:
It seems that the FreeRadius LDAP module is trying to find the SRV record for LDAP. Of course DNS responds with all LDAP SRV records.
What I need to be able to do is restrict what LDAP servers FreeRadius is trying to use. This seems very similar to SSSD Service Discovery.
Any assistance on this one would be appreciated.
btw...
I cannot post full debug logs due to security but will provide any additional info that might assist with this
Thanks
More information about the Freeradius-Users
mailing list