Problem with LDAP group searches

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Problem with LDAP group searches

Robert Graham
Problem with LDAP group searches

I'm trying to get Freeradius configured to authenicate our vpn users from a Cisco 3005 concentrator against Active Directory using the ldap module.  When I authenicated a vpn user on a per user basis - it works fine.  However, I want authenicate not only the user, but also verify that the user is a member of a "group" in active directory.  I was following Dustin Doris's suggestion on Per-Client "group" matching and configured the huntgroups, users, and radiusd.conf accordingly.  However, it seems to fail doing a group lookup.  I don't know if it matters, but the user object and group object in Active Directory are in different containers (OU's).  Any help would be appreciated. 

Thanks
Robert Graham

##########
Debug out:
##########

rad_recv: Access-Request packet from host 172.16.1.91:1054, id=40, length=119
        User-Name = "rgraham"
        User-Password = "XXXXXXXXXX"
        NAS-Port = 1036
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Called-Station-Id = "192.168.15.1"
        Calling-Station-Id = "192.168.15.2"
        Tunnel-Client-Endpoint:0 = "192.168.15.2"
        NAS-IP-Address = 172.16.1.91
        NAS-Port-Type = Virtual
rad_lowerpair:  User-Name now 'rgraham'
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for rgraham
radius_xlat:  '(sAMAccountName=rgraham)'
radius_xlat:  'ou=mem users,dc=mem-ins,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mem_co_dept1.mem-ins.com:389, authentication 0
rlm_ldap: bind as cn=administrator,ou=admin,ou=mem users,dc=mem-ins,dc=com/XXXXXXXXXX to mem_co_dept1.mem-ins.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (sAMAccountName=rgraham)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user rgraham authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "rgraham", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=mem users,dc=mem-ins,dc=com'
radius_xlat:  '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com)))'

rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))))

rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a member.
    users: Matched DEFAULT at 166
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Reject
  rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 40 to 172.16.1.91:1054
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 40 with timestamp 42b1c93a
Nothing to do.  Sleeping until we see a request.

############
Users file:
############

DEFAULT Huntgroup-Name == vpnusers, LDAP-Group == MEMVPNFlex, Auth-Type := LDAP
        OU = TestGroup
        Fall-Through = 1

############
huntgroup
############

vpnusers        NAS-IP-Address == 172.16.1.91

#######################
ldap section of radiusd.conf
#######################

 ldap {
                server = "mem_co_dept1.mem-ins.com"
                basedn = "ou=mem users,dc=mem-ins,dc=com"
                filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
                identity = "cn=administrator,ou=admin,ou=mem users,dc=mem-ins,dc=com"
                password = XXXXXXXXXX
                start_tls = no
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
            password_attribute = userPassword
                groupname_attribute = cn
                groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

                groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                }


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with LDAP group searches

Dusty Doris

> I'm trying to get Freeradius configured to authenicate our vpn users
> from a Cisco 3005 concentrator against Active Directory using the ldap
> module.  When I authenicated a vpn user on a per user basis - it works
> fine.  However, I want authenicate not only the user, but also verify
> that the user is a member of a "group" in active directory.  I was
> following Dustin Doris's suggestion on Per-Client "group" matching and
> configured the huntgroups, users, and radiusd.conf accordingly.
> However, it seems to fail doing a group lookup.  I don't know if it
> matters, but the user object and group object in Active Directory are in
> different containers (OU's).  Any help would be appreciated.
>

You need to specify where the groups are located in AD.

> rlm_ldap: Entering ldap_groupcmp() radius_xlat:  'ou=mem
> users,dc=mem-ins,dc=com' radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem
> users,dc=mem-ins,dc=com, with filter
> (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous
> search result rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a
> member.
>     users: Matched DEFAULT at 166

The user was not found in that group, based on the lookup above.

>  groupname_attribute = cn
>  groupmembership_filter =
>  "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
>   (&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>  groupmembership_attribute = radiusGroupName

You have to modify these so you can find the group memberships.  For
example, how would you perform an ldapsearch from the command line to
find group memberships?  Take that info and put it there.  Make sure the
user you are binding with has access to read those groups.

Hope that is a little helpful.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with LDAP group searches

Robert Graham
In reply to this post by Robert Graham
Re: Problem with LDAP group searches

>> I'm trying to get Freeradius configured to authenicate our vpn users
>> from a Cisco 3005 concentrator against Active Directory using the ldap
>> module.  When I authenicated a vpn user on a per user basis - it works
>> fine.  However, I want authenicate not only the user, but also verify
>> that the user is a member of a "group" in active directory.  I was
>> following Dustin Doris's suggestion on Per-Client "group" matching and
>> configured the huntgroups, users, and radiusd.conf accordingly.
>> However, it seems to fail doing a group lookup.  I don't know if it
>> matters, but the user object and group object in Active Directory are in
>> different containers (OU's).  Any help would be appreciated.
>>
>
>You need to specify where the groups are located in AD.

But isn't this the purpose of setting the basedn in radiusd.conf?  Or is there another seeting that I need to configure for ldap group searches?

>
>> rlm_ldap: Entering ldap_groupcmp() radius_xlat:  'ou=mem
>> users,dc=mem-ins,dc=com' radius_xlat:
>> '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
>> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
>> Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem
>> users,dc=mem-ins,dc=com, with filter
>> (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
>> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
>> Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous
>> search result rlm_ldap: ldap_release_conn: Release Id: 0
>> rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a
>> member.
>>     users: Matched DEFAULT at 166
>
>The user was not found in that group, based on the lookup above.

The user is a member of the MEMVPNFlex group in AD

>
>>  groupname_attribute = cn
>>  groupmembership_filter =
>>  "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
>>   (&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>>  groupmembership_attribute = radiusGroupName
>
>You have to modify these so you can find the group memberships.  For
>example, how would you perform an ldapsearch from the command line to
>find group memberships?  Take that info and put it there.  Make sure the
>user you are binding with has access to read those groups.
>
>Hope that is a little helpful.
>
>
>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Problem with LDAP group searches

Dusty Doris
> >> rlm_ldap: Entering ldap_groupcmp() radius_xlat:  'ou=mem
> >> users,dc=mem-ins,dc=com' radius_xlat:
> >> '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> >> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> >> Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0
> >> rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem
> >> users,dc=mem-ins,dc=com, with filter
> >> (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> >> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> >> Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous
> >> search result rlm_ldap: ldap_release_conn: Release Id: 0
> >> rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a
> >> member.
> >>     users: Matched DEFAULT at 166
> >
> >The user was not found in that group, based on the lookup above.
>
> The user is a member of the MEMVPNFlex group in AD
>

Above is what your ldapsearch looks like and it didn't find the user in
that group.  You need to modify the group search syntax to the point where
it will find your user in the group.  Or if the user you are binding with
doesn't have read access on the groups, you need to assign it to that
user.

For example, if you were using ldapsearch from the command line, how would
you search for group members?  Does running that search above from the
command line, binding with the same user, find the user in the group?

I don't have access to an AD directory right now to get a view into their
ldap implementation and see what groups look like.  But you should view
the AD directory with some kind of ldap viewer and take a look at the
groups.  Perhaps the objectclass is wrong and AD doesn't use GroupOfNames?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html