LDAP group - samaccountname

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

LDAP group - samaccountname

omahieu
Hello,

Using the LDAP module in post-auth section (PEAP-MSCHAPv2); the correct user group is not found for VLAN assignment.
I think it has to do with the samaccountname. 5c5cAdministrator instead of Administrator.

Where do I have to look?

Thanks!

Verzonden vanuit Mail<https://go.microsoft.com/fwlink/?LinkId=550986> voor Windows 10


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

debugfile (126K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: LDAP group - samaccountname

Alan DeKok-2


> On Feb 4, 2020, at 2:42 PM, Olivier Mahieu <[hidden email]> wrote:
>
> Hello,
>
> Using the LDAP module in post-auth section (PEAP-MSCHAPv2); the correct user group is not found for VLAN assignment.
> I think it has to do with the samaccountname. 5c5cAdministrator instead of Administrator.

(9) Received Access-Request Id 111 from 192.168.56.3:1645 to 192.168.56.20:1812 length 261
(9)   User-Name = "AD-OM\\Administrator"

  That's generally not a good idea.  i.e. account names with backslashes. etc.

(9)     EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(9)        --> (samaccountname=AD-OM\5c5cAdministrator)
(9)     Performing search in "dc=MAH,dc=TEST" with filter "(samaccountname=AD-OM\5c5cAdministrator)", scope "sub"

  FreeRADIUS escapes the backslashes for security reasons.  Otherwise the users could add magic characters, change the ldap query, and do bad things.

  What is the account name in LDAP?  Does it have the backslashes in it?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: LDAP group - samaccountname

omahieu
Its active directory Administrator account. No backslashes.
Doing radtest mschap returns correct vlan.



Verzonden vanaf mijn Samsung Galaxy-smartphone.



-------- Oorspronkelijk bericht --------
Van: Alan DeKok <[hidden email]>
Datum: 4/02/20 21:21 (GMT+01:00)
Aan: FreeRadius users mailing list <[hidden email]>
Onderwerp: Re: LDAP group - samaccountname



> On Feb 4, 2020, at 2:42 PM, Olivier Mahieu <[hidden email]> wrote:
>
> Hello,
>
> Using the LDAP module in post-auth section (PEAP-MSCHAPv2); the correct user group is not found for VLAN assignment.
> I think it has to do with the samaccountname. 5c5cAdministrator instead of Administrator.

(9) Received Access-Request Id 111 from 192.168.56.3:1645 to 192.168.56.20:1812 length 261
(9)   User-Name = "AD-OM\\Administrator"

  That's generally not a good idea.  i.e. account names with backslashes. etc.

(9)     EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(9)        --> (samaccountname=AD-OM\5c5cAdministrator)
(9)     Performing search in "dc=MAH,dc=TEST" with filter "(samaccountname=AD-OM\5c5cAdministrator)", scope "sub"

  FreeRADIUS escapes the backslashes for security reasons.  Otherwise the users could add magic characters, change the ldap query, and do bad things.

  What is the account name in LDAP?  Does it have the backslashes in it?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&amp;data=02%7C01%7C%7C4c7bfa280f8d43a067d808d7a9afdbb5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637164445071414620&amp;sdata=WKscEKZKjE3nEq%2BwD5ukBpMQ6nugRLwmRLVU75nS3Hc%3D&amp;reserved=0
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: LDAP group - samaccountname

Alan DeKok-2


> On Feb 4, 2020, at 3:27 PM, Olivier Mahieu <[hidden email]> wrote:
>
> Its active directory Administrator account. No backslashes.

  Then why are you looking up the full User-Name with backslashes?

  Split the User-Name into realm and "real" user name.  Then look up the real user name.  The server configuration does this pretty much by default.

  All you need to do is define a "AD-OM" realm in proxy.conf:

realm AD-OM {
}

  And the server will just do the right thing.

> Doing radtest mschap returns correct vlan.

  Because you're just using "Administrator" there.  Please pay attention.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html