LDAP Post-Auth with computer names using eap-tls certs

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

LDAP Post-Auth with computer names using eap-tls certs

Kevin Virk
So ill give a brief summary of everything I have done so far. I have set a freeradius server to work with certs. I orignally had the certs named by user name but my company had decided that computer names was the way the wanted to go. So i changed the certs to hand out the sam account name of the computer. Previously the LDAP I had set up in post-auth was working with the username and works with the computer name as well however my company has decided that the ldap queries are to plentiful and would like to narrow them down. Let me backtrack for a second as this is important to the problem. LDAP is to be used to identify a user in a specific group and then authorize and put them into a vlan. Like I said this was all working with usernames and computer names. However because the AD is setup in a way that certain computer groups are nested in larger vlan groups I had to manually query for the lower level groups instead of the overarching vlan group because i needed the query to return computer names not more workstation groups. So here I am I have this query that works in ldp.exe



(&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local))


This query returns computer names and works in ldp. Below are snippets from my conf files
ldap module conf

 user {
                #  Where to start searching in the tree for users
                base_dn = "${..base_dn}"

                #  Filter for user objects, should be specific enough
                #  to identify a single user object.
                #
                #  For Active Directory, you should use
                #  "samaccountname=" instead of "uid="
                #
                filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"

 group {
                #  Where to start searching in the tree for groups
                base_dn = "${..base_dn}"

                #  Filter for group objects, should match all available
                #  group objects a user might be a member of.
#               filter = '(objectClass=posixGroup)'

                # Search scope, may be 'base', 'one', sub' or 'children'
#               scope = 'sub'
                #  Attribute that uniquely identifies a group.
                #  Is used when converting group DNs to group
                #  names.
#               name_attribute = cn

                #  Filter to find group objects a user is a member of.
                #  That is, group objects with attributes that
                #  identify members (the inverse of membership_attribute).
                membership_filter = "(|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))"

                #  The attribute in user objects which contain the names
                #  or DNs of groups a user is a member of.
                #
                #  Unless a conversion between group name and group DN is
                #  needed, there's no requirement for the group objects
                #  referenced to actually exist.
                membership_attribute = 'member:1.2.840.113556.1.4.1941'

Default site

ldap query example

ldap
        if(LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"){
        update reply{
        &Tunnel-Type := "VLAN"
        &Tunnel-Medium-Type := "6"
        &Tunnel-Private-Group-Id := "103"
        }

Here is a snippet from the error in the debug output.
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Bind successful
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Bind successful
Mon Nov 26 23:53:09 2018 : Debug: (5)     User object found at DN "CN=ComputerName,OU=Computers,OU=Departments,DC=testDomain,DC=net"
Mon Nov 26 23:53:09 2018 : Debug: (5)     Checking for user in group objects
Mon Nov 26 23:53:09 2018 : Debug: (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: Parsed xlat tree:
Mon Nov 26 23:53:09 2018 : Debug: literal --> (|(&(objectClass=computer)(member=
Mon Nov 26 23:53:09 2018 : Debug: attribute --> LDAP-UserDN
Mon Nov 26 23:53:09 2018 : Debug: literal --> )))
Mon Nov 26 23:53:09 2018 : Debug: (5)       EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: (5)          --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))
Mon Nov 26 23:53:09 2018 : Debug: (5)       Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: (5)       Bind successful
Mon Nov 26 23:53:09 2018 : Debug: (5)       Performing search in "CN=VLAN,OU=generalgroups,OU=Departments,DC=testDomain,DC=local" with filter "(|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))", scope "sub"
Mon Nov 26 23:53:09 2018 : Debug: (5)       Waiting for search result...
Mon Nov 26 23:53:09 2018 : Debug: (5)       Search returned no results
Mon Nov 26 23:53:09 2018 : Debug: (5)     Checking user object's member:1.2.840.113556.1.4.1941 attributes
Mon Nov 26 23:53:09 2018 : Debug: (5)       Performing unfiltered search in "CN=computerName,OU=computers,OU=Departments,DC=testDomain,DC=local", scope "base"
Mon Nov 26 23:53:09 2018 : Debug: (5)       Waiting for search result...
Mon Nov 26 23:53:09 2018 : Debug: (5)     No group membership attribute(s) found in user object
Mon Nov 26 23:53:09 2018 : Info: rlm_ldap (ldap): Deleting connection (5) - Was referred to a different LDAP server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap: Closing libldap handle 0x9cc450
Mon Nov 26 23:53:09 2018 : Info: Need 3 more connections to reach min connections (3)
Mon Nov 26 23:53:09 2018 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots used
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Connecting to ldap://server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): New libldap handle 0x9cc450
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Bind successful
Mon Nov 26 23:53:09 2018 : Debug: (5)     User is not a member of "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"
Mon Nov 26 23:53:09 2018 : Debug: (5)     if (LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local") -> FALSE

I am sure that my syntax is wrong somewhere, maybe the ldap-group part in the ldap query? I would like to point out that it does find the group when switch the object class to group from computer but only in the sub groups and not the larger group. Any help would be greatly appreciated






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: LDAP Post-Auth with computer names using eap-tls certs

Alan DeKok-2
On Nov 28, 2018, at 4:39 PM, Kevin Virk <[hidden email]> wrote:
>
> So ill give a brief summary of everything I have done so far. I have set a freeradius server to work with certs. I orignally had the certs named by user name but my company had decided that computer names was the way the wanted to go. So i changed the certs to hand out the sam account name of the computer. Previously the LDAP I had set up in post-auth was working with the username and works with the computer name as well however my company has decided that the ldap queries are to plentiful and would like to narrow them down. Let me backtrack for a second as this is important to the problem. LDAP is to be used to identify a user in a specific group and then authorize and put them into a vlan. Like I said this was all working with usernames and computer names. However because the AD is setup in a way that certain computer groups are nested in larger vlan groups I had to manually query for the lower level groups instead of the overarching vlan group because i needed the query to return computer names not more workstation groups. So here I am I have this query that works in ldp.exe

  Ok...

> This query returns computer names and works in ldp. Below are snippets from my conf files
> ldap module conf

  Please don't post the config.  All of the documentation say to *not* do that.  Especially this:

http://wiki.freeradius.org/list-help

>        if(LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"){

  That's not really how the LDAP-Group check operates.  See the Wiki, there's documentation on this.

  It's meant to check just the group name:

        if (LDAP-Group == "vlan")  { ...

> Here is a snippet from the error in the debug output.
> Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server

  PLEASE follow the instructions for debug output.  It really is documented *everywhere*.  Use "radiusd -X", and not anything else.

> Mon Nov 26 23:53:09 2018 : Debug: (5)       EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
> Mon Nov 26 23:53:09 2018 : Debug: (5)          --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))

  Note that the "=" is escaped to "\2c".  Which should be a hint that you should be using just the group name.

> I am sure that my syntax is wrong somewhere, maybe the ldap-group part in the ldap query? I would like to point out that it does find the group when switch the object class to group from computer but only in the sub groups and not the larger group. Any help would be greatly appreciated

  LDAP group checking doesn't not search subgroups.  It only checks the main groups that a user is a member of.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Re: LDAP Post-Auth with computer names using eap-tls certs

Kevin Virk
In reply to this post by Kevin Virk
 
> So ill give a brief summary of everything I have done so far. I have set a freeradius server to work with certs. I orignally had the certs named by user name but my company had decided that computer names was the way the wanted to go. So i changed the certs  to hand out the sam account name of the computer. Previously the LDAP I had set up in post-auth was working with the username and works with the computer name as well however my company has decided that the ldap queries are to plentiful and would like to narrow  them down. Let me backtrack for a second as this is important to the problem. LDAP is to be used to identify a user in a specific group and then authorize and put them into a vlan. Like I said this was all working with usernames and computer names. However  because the AD is setup in a way that certain computer groups are nested in larger vlan groups I had to manually query for the lower level groups instead of the overarching vlan group because i needed the query to return computer names not more workstation  groups. So here I am I have this query that works in ldp.exe

Ok...

> This query returns computer names and works in ldp. Below are snippets from my conf files
> ldap module conf

Please don't post the config. All of the documentation say to *not* do that. Especially this:

http://wiki.freeradius.org/list-help

> if(LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"){

That's not really how the LDAP-Group check operates. See the Wiki, there's documentation on this.

It's meant to check just the group name:

if (LDAP-Group == "vlan") { ...

> Here is a snippet from the error in the debug output.
> Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server

PLEASE follow the instructions for debug output. It really is documented *everywhere*. Use "radiusd -X", and not anything else.

> Mon Nov 26 23:53:09 2018 : Debug: (5) EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
> Mon Nov 26 23:53:09 2018 : Debug: (5) --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))

Note that the "=" is escaped to "\2c". Which should be a hint that you should be using just the group name.

> I am sure that my syntax is wrong somewhere, maybe the ldap-group part in the ldap query? I would like to point out that it does find the group when switch the object class to group from computer but only in the sub groups and not the larger group. Any help  would be greatly appreciated

LDAP group checking doesn't not search subgroups. It only checks the main groups that a user is a member of.

Alan DeKok.

 Thank you for the help Alan and I apologize for the mistakes in posting.

> Mon Nov 26 23:53:09 2018 : Debug: (5) EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
> Mon Nov 26 23:53:09 2018 : Debug: (5) --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))

>Note that the "=" is escaped to "\2c". Which should be a hint that you should be using just the group name.

hmm it has been working that way with the queries but I will change that thank you.

>LDAP group checking doesn't not search subgroups. It only checks the main groups that a user is a member of.
So im understanding correctly if a computer is set up as so Computername-> Group membership-> computer security group  
and if that computer security group is part of vlan group quering that vlan group wont work because it will only return the security groups not the workstations that are part of the security groups?

Is there no way then to query for the computers that belong in a group because like I said atop this query does work and does give me back all computers in the top level group

(&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=vlan,OU=generalgroups,OU=Departments,DC=testdomain,DC=local))

Is there no way for that query above to work in freeradius?




------------------------------

Subject: Digest Footer

-
List info/subscribe/unsubscribe? See  http://www.freeradius.org/list/users.html

------------------------------

End of Freeradius-Users Digest, Vol 163, Issue 145
**************************************************
   


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: LDAP Post-Auth with computer names using eap-tls certs

Alan DeKok-2
On Nov 28, 2018, at 5:00 PM, Kevin Virk <[hidden email]> wrote:
> Thank you for the help Alan and I apologize for the mistakes in posting.

  Please also *edit* the posts you make.  We don't need to re-read the previous message before getting to any new content.

  The harder you make it for us help you, the less likely we are to help you.

>> Mon Nov 26 23:53:09 2018 : Debug: (5) EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
>> Mon Nov 26 23:53:09 2018 : Debug: (5) --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))
>
>> Note that the "=" is escaped to "\2c". Which should be a hint that you should be using just the group name.
>
> hmm it has been working that way with the queries but I will change that thank you.

  Has it been working with FreeRADIUS?  Or with a command-line tool?

>> LDAP group checking doesn't not search subgroups. It only checks the main groups that a user is a member of.
> So im understanding correctly if a computer is set up as so Computername-> Group membership-> computer security group  
> and if that computer security group is part of vlan group quering that vlan group wont work because it will only return the security groups not the workstations that are part of the security groups?

  Generally, yes.

> Is there no way then to query for the computers that belong in a group because like I said atop this query does work and does give me back all computers in the top level group
>
> (&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=vlan,OU=generalgroups,OU=Departments,DC=testdomain,DC=local))

  That's likely an AD extension to the LDAP standard.  It might not work with other LDAP servers.

> Is there no way for that query above to work in freeradius?

  Yes.  You should be able to edit the LDAP "group" configuration to set the "filter" to the correct value.  Or maybe the "membership_filter"

  The issue here is that FreeRADIUS is intended to work with *multiple* different LDAP servers.  Adding specific magic just for AD isn't always simple.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: LDAP Post-Auth with computer names using eap-tls certs

Kevin Virk
In reply to this post by Kevin Virk
>Has it been working with FreeRADIUS? Or with a command-line tool?

It has been working with Freeradius.

>That's likely an AD extension to the LDAP standard. It might not work with other LDAP servers.
Ahh yess that makes sense thank you very much.

>The issue here is that FreeRADIUS is intended to work with *multiple* different LDAP servers. Adding specific magic just for AD isn't always simple.
I believe that is what is going on here. I will just revert back to the stage where it was working!

Thank you so much Alan as always you have been a great help


   


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html