AD Authentication via python module eventually fails

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

AD Authentication via python module eventually fails

Orestes Leal Rodríguez
Hi guys,

I have a freeradius 3.0.16 (ubuntu 18.04.3) running authenticating
users against an AD via ldap binds, I call a module (small python
program) that calls the ldap binds, etc. So this module's return value
indicates to the freeradius if auth was successful or not. From time
to time the server starts to return (maybe a month) auth failures. I
believe that this module loading for each auth user makes the server's
state change or in general leave it in a unconsistent state. The
module is loaded from the 'python' module putting the name of the
module's filename. This module is on
/usr/lib/python2.7/custom_module.py. This configuration was transfered
from another (older freeradius version, ubuntu 16.04) to this new
freeradius server. I suggested go through the ntlm_auth route but the
IT manager decided to go this route (the module using ldap binds)
which it works but we have this problem and the original person that
used the module also have. I wonder if anybody can iluminate what's
happening at the server state level. To fix this I have to restart the
freeradius process and everything start to work again so it's not
something on the AD side.  I suspect an 'in-memory' state or something
is the cause. Any ideas?

Thanks,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: AD Authentication via python module eventually fails

Alan Buxey
hi,

any reason why python is being used at all - not having seen the
script not sure why you arent
just doing everything native in FR ?

alan

On Wed, 2 Oct 2019 at 21:08, Orestes Leal Rodríguez
<[hidden email]> wrote:

>
> Hi guys,
>
> I have a freeradius 3.0.16 (ubuntu 18.04.3) running authenticating
> users against an AD via ldap binds, I call a module (small python
> program) that calls the ldap binds, etc. So this module's return value
> indicates to the freeradius if auth was successful or not. From time
> to time the server starts to return (maybe a month) auth failures. I
> believe that this module loading for each auth user makes the server's
> state change or in general leave it in a unconsistent state. The
> module is loaded from the 'python' module putting the name of the
> module's filename. This module is on
> /usr/lib/python2.7/custom_module.py. This configuration was transfered
> from another (older freeradius version, ubuntu 16.04) to this new
> freeradius server. I suggested go through the ntlm_auth route but the
> IT manager decided to go this route (the module using ldap binds)
> which it works but we have this problem and the original person that
> used the module also have. I wonder if anybody can iluminate what's
> happening at the server state level. To fix this I have to restart the
> freeradius process and everything start to work again so it's not
> something on the AD side.  I suspect an 'in-memory' state or something
> is the cause. Any ideas?
>
> Thanks,
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: AD Authentication via python module eventually fails

Orestes Leal Rodríguez
Alan,

I mentioned in the other email it was the boss' decision. I cannot do
anything if he doesn't want to do it another way (I suggested go
through ntlm_auth but it was not chosen.

On 10/2/19, Alan Buxey <[hidden email]> wrote:
> hi,
>
> any reason why python is being used at all - not having seen the
> script

The script just import the ldap module, binds to a GC server to
fullfills the authentication requests and return falsoe y the password
is incorrect or the account it's not found, or true if the auth was
correct. We have two backends domains so that was the reason it was
done this way (although I had an alternative doing the same using
ntlm_auth).

not sure why you arent

> just doing everything native in FR ?
>
> alan
>
> On Wed, 2 Oct 2019 at 21:08, Orestes Leal Rodríguez
> <[hidden email]> wrote:
>>
>> Hi guys,
>>
>> I have a freeradius 3.0.16 (ubuntu 18.04.3) running authenticating
>> users against an AD via ldap binds, I call a module (small python
>> program) that calls the ldap binds, etc. So this module's return value
>> indicates to the freeradius if auth was successful or not. From time
>> to time the server starts to return (maybe a month) auth failures. I
>> believe that this module loading for each auth user makes the server's
>> state change or in general leave it in a unconsistent state. The
>> module is loaded from the 'python' module putting the name of the
>> module's filename. This module is on
>> /usr/lib/python2.7/custom_module.py. This configuration was transfered
>> from another (older freeradius version, ubuntu 16.04) to this new
>> freeradius server. I suggested go through the ntlm_auth route but the
>> IT manager decided to go this route (the module using ldap binds)
>> which it works but we have this problem and the original person that
>> used the module also have. I wonder if anybody can iluminate what's
>> happening at the server state level. To fix this I have to restart the
>> freeradius process and everything start to work again so it's not
>> something on the AD side.  I suspect an 'in-memory' state or something
>> is the cause. Any ideas?
>>
>> Thanks,
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: AD Authentication via python module eventually fails

Alan DeKok-2
On Oct 2, 2019, at 5:39 PM, Orestes Leal Rodríguez <[hidden email]> wrote:
>
> I mentioned in the other email it was the boss' decision. I cannot do
> anything if he doesn't want to do it another way (I suggested go
> through ntlm_auth but it was not chosen.

  So he's making decisions which break the corporate infrastructure?

  Nice.

> The script just import the ldap module, binds to a GC server to
> fullfills the authentication requests and return falsoe y the password
> is incorrect or the account it's not found, or true if the auth was
> correct.

  FreeRADIUS can do this with the native LDAP module.  You don't need to do ntlm_auth.

> We have two backends domains so that was the reason it was
> done this way (although I had an alternative doing the same using
> ntlm_auth).

  FreeRADIUS can use two LDAP modules, one for each back-end domain.

  It's simpler, faster, more standard, and it *works*.

  I'd say tell your boss that he's wrong, but I'm sure he already knows that.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Installing Freeradius on my cloud server

Tim Dawson
In reply to this post by Orestes Leal Rodríguez
Hello,

I'm entirely new to the whole Captive Portal procedure, but I'm learning about it because I need to
control guest access to my newly very fast broadband (4G). As part of that process I thought I'd
start by setting up a Freeradius server.

I run our B&B web site (and several others, for clients) on a cloud server (the OS is Centos 7).
Naturally this runs an Apache server, and MySQL. I assumed that the Freeradius server would run
alongside these. Is that correct?

I set it up via SSH following the 'hard way' described at:
https://draculaservers.com/tutorials/freeradius-centos-7-mysql/

Everything appeared to go perfectly, to the point where it appeared I could run the Freeradius
server in debug mode. Then I spotted that I could no longer log in to my WHM/cPanel, nor could I
access several of the hosted web sites. I couldn't allow that situation to continue.

So I disabled the Freeradius server and the 'firewalld' services. After rebooting the cloud server
things cam back to normal.

I'm not sure, but I suspect the problem may have been in the 'firewalld' settings. Would these have
over-ridden the normal server firewall policy? If so, what should I do about it?

I could add the 1812 and 1813 ports to the existing firewall policy, but would that work?

I'd be grateful for some help here, please.

Tim Dawson

--
Tim Dawson
Maolbhuidhe
Fionnphort
Isle of Mull  PA66 6BP

01681 700718
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Installing Freeradius on my cloud server

Alan DeKok-2
On Oct 2, 2019, at 7:18 PM, Tim Dawson <[hidden email]> wrote:
> I'm entirely new to the whole Captive Portal procedure, but I'm learning about it because I need to control guest access to my newly very fast broadband (4G). As part of that process I thought I'd start by setting up a Freeradius server.
>
> I run our B&B web site (and several others, for clients) on a cloud server (the OS is Centos 7). Naturally this runs an Apache server, and MySQL. I assumed that the Freeradius server would run alongside these. Is that correct?

  If you want to set it up that way, sure.  The main criteria is that the captive portal is able to send RADIUS packets to the RADIUS server.  Preferably over IPSec, too.

> I set it up via SSH following the 'hard way' described at:
> https://draculaservers.com/tutorials/freeradius-centos-7-mysql/

  If it works, I guess.

> Everything appeared to go perfectly, to the point where it appeared I could run the Freeradius server in debug mode. Then I spotted that I could no longer log in to my WHM/cPanel, nor could I access several of the hosted web sites. I couldn't allow that situation to continue.
>
> So I disabled the Freeradius server and the 'firewalld' services. After rebooting the cloud server things cam back to normal.
>
> I'm not sure, but I suspect the problem may have been in the 'firewalld' settings. Would these have over-ridden the normal server firewall policy? If so, what should I do about it?

  Fix the firewall so that it doesn't block web access?

> I could add the 1812 and 1813 ports to the existing firewall policy, but would that work?

  That won't help for web access.

  It's not really clear what you're doing.  I suspect the underlying issues have nothing to do with FreeRADIUS though.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Installing Freeradius on my cloud server

Tim Dawson
Thank you for your reply.

I'm sorry if it's not really clear what I'm doing. The link I sent contained every command line I
used, though I realise it would be tedious to follow it all. Maybe what I'm doing isn't the right
thing at all, but then that's why I come to a mailing list like this, for help.

My understanding was simply that I needed to have a Radius Server available. I thought the obvious
place to have it would be on my cloud server. I imagine that's where the captive portal will live too.

I will try to get a better understanding of the whole Captive Portal procedure and then return if
necessary to ask specific questions about Freeradius.

Regards,

Tim Dawson

On 03/10/2019 01:14, Alan DeKok wrote:

> On Oct 2, 2019, at 7:18 PM, Tim Dawson <[hidden email]> wrote:
>> I'm entirely new to the whole Captive Portal procedure, but I'm learning about it because I need to control guest access to my newly very fast broadband (4G). As part of that process I thought I'd start by setting up a Freeradius server.
>>
>> I run our B&B web site (and several others, for clients) on a cloud server (the OS is Centos 7). Naturally this runs an Apache server, and MySQL. I assumed that the Freeradius server would run alongside these. Is that correct?
>
>    If you want to set it up that way, sure.  The main criteria is that the captive portal is able to send RADIUS packets to the RADIUS server.  Preferably over IPSec, too.
>
>> I set it up via SSH following the 'hard way' described at:
>> https://draculaservers.com/tutorials/freeradius-centos-7-mysql/
>
>    If it works, I guess.
>
>> Everything appeared to go perfectly, to the point where it appeared I could run the Freeradius server in debug mode. Then I spotted that I could no longer log in to my WHM/cPanel, nor could I access several of the hosted web sites. I couldn't allow that situation to continue.
>>
>> So I disabled the Freeradius server and the 'firewalld' services. After rebooting the cloud server things cam back to normal.
>>
>> I'm not sure, but I suspect the problem may have been in the 'firewalld' settings. Would these have over-ridden the normal server firewall policy? If so, what should I do about it?
>
>    Fix the firewall so that it doesn't block web access?
>
>> I could add the 1812 and 1813 ports to the existing firewall policy, but would that work?
>
>    That won't help for web access.
>
>    It's not really clear what you're doing.  I suspect the underlying issues have nothing to do with FreeRADIUS though.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

--
Tim Dawson
Maolbhuidhe
Fionnphort
Isle of Mull  PA66 6BP

01681 700718
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Installing Freeradius on my cloud server

Alan DeKok-2
On Oct 3, 2019, at 4:03 AM, Tim Dawson <[hidden email]> wrote:
> I'm sorry if it's not really clear what I'm doing. The link I sent contained every command line I used, though I realise it would be tedious to follow it all. Maybe what I'm doing isn't the right thing at all, but then that's why I come to a mailing list like this, for help.

  If you have an issue with someone else's documentation, then ask them for help.  It's not appropriate to ask me to read through a long installation guide, especially when 75% or more is unrelated to FreeRADIUS.  This list is for help with FreeRADIUS.  It is *not* for getting general system administration help.

> My understanding was simply that I needed to have a Radius Server available. I thought the obvious place to have it would be on my cloud server. I imagine that's where the captive portal will live too.

  That's not the way that captive portals usually work.  They sit at the edge, and usually they're the local router / firewall.

> I will try to get a better understanding of the whole Captive Portal procedure and then return if necessary to ask specific questions about Freeradius.

  That would help.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html