Conditional attributes with AD

classic Classic list List threaded Threaded
15 messages Options
| Threaded
Open this post in threaded view
|

Conditional attributes with AD

Scott McLane Gardner
I've successfully gotten AD auth working, and now I'd like to be able to
assign VLAN's based on group membership, but I'm having a hard time
figuring out where and how to do that. Where do I put the "if" statements
to check group membership? Does AD auth even work like this, or do I need
to be using LDAP auth?

Thank you,

-Scott

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Scott McLane Gardner
I found this thread which seems to do what I am asking, but I just don't
know where to put this statement.
http://lists.freeradius.org/pipermail/freeradius-users/2012-January/058458.
html Any insight would be appreciated.

-Scott

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Alan DeKok-2
In reply to this post by Scott McLane Gardner
Scott McLane Gardner wrote:
> I've successfully gotten AD auth working, and now I'd like to be able to
> assign VLAN's based on group membership, but I'm having a hard time
> figuring out where and how to do that. Where do I put the "if" statements
> to check group membership? Does AD auth even work like this, or do I need
> to be using LDAP auth?

  You can configure AD as an LDAP server, and then do LDAP group checks.
 See the LDAP documentation for examples.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Scott McLane Gardner
>
>  You can configure AD as an LDAP server, and then do LDAP group checks.
> See the LDAP documentation for examples.
>
>  Alan DeKok.

I think the documentation is saying that LDAP can't be used with EAP. Is
that what it's really saying? It's a little unclear since it says "The
solution is to use the default configuration, which does work."

#  However, LDAP can be used for authentication ONLY when the
#  Access-Request packet contains a clear-text User-Password
#  attribute.  LDAP authentication will NOT work for any other
#  authentication method.
#
#  This means that LDAP servers don't understand EAP.  If you
#  force "Auth-Type = LDAP", and then send the server a
#  request containing EAP authentication, then authentication
#  WILL NOT WORK.
#
#  The solution is to use the default configuration, which does
#  work.
#
#  Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG.  We
#  really can't emphasize this enough.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Scott McLane Gardner
In reply to this post by Scott McLane Gardner
>
>I found this thread which seems to do what I am asking, but I just don't
>know where to put this statement.
>http://lists.freeradius.org/pipermail/freeradius-users/2012-January/058458
>.
>html Any insight would be appreciated.

Okay, I figured out where to put the "if" statement (in
sites-enabled/default, for anyone stumped like I was), but it doesn't
work. I'm assuming this is because I'm using Samba instead of LDAP. Is
there another way to get conditional replies based on group membership
while still using EAP?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Scott McLane Gardner
If anyone cares, I got this working by calling a script that contained the
following:

    #!/bin/sh
    for T in $(wbinfo --user-domgroups `wbinfo -n $1`) ; do wbinfo -s $T |
perl -ne 'chomp and print'; done


Which outputs a string containing all the groups the username is a member
of. I called the script from sites-available/default under post-auth like
so:

    if (`/bin/sh /etc/freeradius/get_group.sh %{User-Name}` =~
/String.To.Match/) {
        update reply {
            Tunnel-type = VLAN
            Tunnel-medium-type = IEEE-802
            Tunnel-Private-Group-Id = 456
        }
    }



This was frustrating to figure out, but a good learning experience.

--Scott

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Fajar A. Nugraha-2
On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner <[hidden email]> wrote:
> If anyone cares, I got this working by calling a script that contained the
> following:

That's odd. Did you properly setup the AD as LDAP server in
raddb/modules/ldap (or whatever file name you use)?


>    if (`/bin/sh /etc/freeradius/get_group.sh %{User-Name}` =~

I didn't know you can do that :D

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Scott McLane Gardner


On 3/6/12 3:55 PM, "Fajar A. Nugraha" <[hidden email]> wrote:

>On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner <[hidden email]>
>wrote:
>> If anyone cares, I got this working by calling a script that contained
>>the
>> following:
>
>That's odd. Did you properly setup the AD as LDAP server in
>raddb/modules/ldap (or whatever file name you use)?

No, I didn't set it up as an LDAP server since you apparently can't use
LDAP and EAP at the same time. (Unless I'm reading the documentation
wrong.)

-Scott

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Fajar A. Nugraha-2
On Wed, Mar 7, 2012 at 4:57 AM, Scott McLane Gardner <[hidden email]> wrote:

>
>
> On 3/6/12 3:55 PM, "Fajar A. Nugraha" <[hidden email]> wrote:
>
>>On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner <[hidden email]>
>>wrote:
>>> If anyone cares, I got this working by calling a script that contained
>>>the
>>> following:
>>
>>That's odd. Did you properly setup the AD as LDAP server in
>>raddb/modules/ldap (or whatever file name you use)?
>
> No, I didn't set it up as an LDAP server since you apparently can't use
> LDAP and EAP at the same time. (Unless I'm reading the documentation
> wrong.)

Yes, you can :)

You CAN'T use some EAP types (e.g. EAP-PEAP-MSCHAPv2) when
authenticating using LDAP bind (i.e. set Auth-Type to LDAP).

You CAN use LDAP as a plain database no matter what authentication
method you use (in this case you're simply using it for group check,
not for authentication).

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Scott McLane Gardner


On 3/6/12 3:59 PM, "Fajar A. Nugraha" <[hidden email]> wrote:

>On Wed, Mar 7, 2012 at 4:57 AM, Scott McLane Gardner <[hidden email]>
>wrote:
>>
>>
>> On 3/6/12 3:55 PM, "Fajar A. Nugraha" <[hidden email]> wrote:
>>
>>>On Wed, Mar 7, 2012 at 4:28 AM, Scott McLane Gardner <[hidden email]>
>>>wrote:
>>>> If anyone cares, I got this working by calling a script that contained
>>>>the
>>>> following:
>>>
>>>That's odd. Did you properly setup the AD as LDAP server in
>>>raddb/modules/ldap (or whatever file name you use)?
>>
>> No, I didn't set it up as an LDAP server since you apparently can't use
>> LDAP and EAP at the same time. (Unless I'm reading the documentation
>> wrong.)
>
>Yes, you can :)
>
>You CAN'T use some EAP types (e.g. EAP-PEAP-MSCHAPv2) when
>authenticating using LDAP bind (i.e. set Auth-Type to LDAP).
>
>You CAN use LDAP as a plain database no matter what authentication
>method you use (in this case you're simply using it for group check,
>not for authentication).
>
>--
>Fajar

Can you expand on how this is done? I am a freeradius newbie and don't
really understand how all the pieces fit together.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Matthew Newton
Hi,

On Tue, Mar 06, 2012 at 10:01:30PM +0000, Scott McLane Gardner wrote:
> >You CAN use LDAP as a plain database no matter what authentication
> >method you use (in this case you're simply using it for group check,
> >not for authentication).
>
> Can you expand on how this is done? I am a freeradius newbie and don't
> really understand how all the pieces fit together.

Configure the ldap module (raddb/modules/ldap) appropriately, then
you can use unlang to check for a group, such as

authorize {

  ...

  ldap

  if (Ldap-Group == "An-Ldap-Group") {
    update reply {
      Tunnel-type = VLAN
      Tunnel-medium-type = IEEE-802
      Tunnel-Private-Group-Id = 456
    }
  }

  ...

}

For an example (with some ldap config), see the eap-tls example I
wrote recently (don't do it in that file - just look at the ldap
example).

https://github.com/alandekok/freeradius-server/blob/master/raddb/sites-available/check-eap-tls 

The example ldap settings there are for AD, although for
certificates rather than users. e.g. you probably want the filter
to be (sAMAccountName=%{User-Name}) instead, for a start.

Calling out to shell scripts may be slower, which can cause you
problems.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Conditional attributes with AD

Danner, Mearl
In reply to this post by Scott McLane Gardner


>> Can you expand on how this is done? I am a freeradius newbie and don't
>> really understand how all the pieces fit together.

First is authentication - configure with Samba, ntlmauth RE: http://wiki.freeradius.org/FreeRADIUS-Active-Directory-Integration-HOWTO

Next authorization  - configured as Matthew suggested in previous post. Probably need to get the memberOf attribute of the userid

match will be FQDN of group, i.e.: CN=Group,OU=someou,dc=something,dc=else,dc=again


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Scott McLane Gardner
In reply to this post by Matthew Newton
Okay, I am a couple steps closer, but still having trouble. My radius
server is saying my test user is not in the group I'm filtering for,
however I know that it is. My sites-available/default config looks like:

authorize
...
ldap

        if (Ldap-Group == "PWHC Secure Wireless") {
                update reply {
                        Tunnel-type = VLAN
                        Tunnel-medium-type = IEEE-802
                        Tunnel-Private-Group-Id = 456
                }
        }
...






And my modules/ldap config looks like:

ldap {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "adserver.example.com"
        identity = "cn=admin,ou=users,dc=example,dc=com"
        password = adminpass
        basedn = "ou=users,dc=example,dc=com"
        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
...





And I'm receiving the following log messages:

[ldap] performing user authorization for username
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> username
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=username)
[ldap] expand: ou=users,dc=example,dc=com -> ou=users,dc=example,dc=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to adserver.uark.edu:389, authentication 0
  [ldap] bind as cn=netoc,ou=users,dc=example,dc=com/password to
adserver.uark.edu:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in ou=users,dc=example,dc=com, with filter
(sAMAccountName=username)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that
the user is configured correctly?
[ldap] user username authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (Ldap-Group == "PWHC Secure Wireless")
  [ldap] Entering ldap_groupcmp()
        expand: ou=usersusers,dc=example,dc=com -> ou=users,dc=example,dc=com
        expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(
uniquemember=)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=users,dc=example,dc=com, with filter
(&(memberOf=PWHC Secure
Wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniq
ueNames)(uniquemember=))))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group PWHC Secure Wireless not found or user is
not a member.
? Evaluating (Ldap-Group == "PWHC Secure Wireless") -> FALSE
++? if (Ldap-Group == "PWHC Secure Wireless") -> FALSE





It looks to me like it's binding and searching and deciding that I'm not a
member of that group, however I know that I am because if I do a
command-line ldapsearch it shows that I'm a member of that group.


# ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D
cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=example,dc=com> with scope subtree
# filter: cn=username
# requesting: memberOf
#

# username, Users, example.com
dn: CN=username,OU=users,dc=example,dc=com
memberOf: CN=PWHC Secure Wireless,OU=PWHC,dc=example,dc=com
memberOf: CN=UA: SecondaryAccount,OU=ManagedGroups,OU=Special
Accounts,dc=example
 ,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1





Can anyone tell me what I'm doing wrong?

Thanks,
Scott

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Matthew Newton
Hi,

On Mon, Mar 12, 2012 at 09:07:23PM +0000, Scott McLane Gardner wrote:

> ++? if (Ldap-Group == "PWHC Secure Wireless")
>   [ldap] Entering ldap_groupcmp()
> expand: ou=usersusers,dc=example,dc=com -> ou=users,dc=example,dc=com
> expand:
> (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
> fUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(
> uniquemember=)))
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in ou=users,dc=example,dc=com, with filter
> (&(memberOf=PWHC Secure
> Wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniq
> ueNames)(uniquemember=))))
>   [ldap] object not found

This is what freeradius is searching ^^^

> It looks to me like it's binding and searching and deciding that I'm not a
> member of that group, however I know that I am because if I do a
> command-line ldapsearch it shows that I'm a member of that group.

You're not searching the same thing:

> # ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D
> cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf

> Can anyone tell me what I'm doing wrong?

Try looking at the groupmembership_filter option - work out a
search that works on the command line (with a filter), and then
fit that filter into the ldap config.

It should probably something like (untested)

groupname_attribute = cn
groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
groupmembership_attribute = memberOf

Run in debug, look at what it's actually searching, match to the
config file, tweak, rinse & repeat.

Matthew


--
Matthew Newton, Ph.D. <[hidden email]>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <[hidden email]>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Conditional attributes with AD

Scott McLane Gardner
>
>Try looking at the groupmembership_filter option - work out a
>search that works on the command line (with a filter), and then
>fit that filter into the ldap config.
>
>It should probably something like (untested)
>
>groupname_attribute = cn
>groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
>groupmembership_attribute = memberOf
>
>Run in debug, look at what it's actually searching, match to the
>config file, tweak, rinse & repeat.
>
>Matthew

Thank you! This was the pointer I needed to get this working. I'm sure
I'll have lots more questions about other aspects soon.

-Scott

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html