Hello Benjamin,
what i can do is to add an connection profile option that will unset the
role of the device if no sources return a role.
It will be something like "unset the role if no sources compute one".
I will let you know when it will be done.
Regards
Fabrice
Le 19-01-21 à 15 h 46, Brenek, Benjamin a écrit :
Hello Fabrice,
Sorry for the delayed reply. I did as you requested and removed the role from a
device and tried logging in with an account that should not work. It does
appear that now the account is getting rejected properly.
Is there a catchall rule that can be applied so that this does not happen in
production, or is there another solution that can be used? It is not desirable
for us to have users potentially be able to login with out-of-scope accounts.
Thank you,
Ben
-----Original Message-----
From: Fabrice Durand via PacketFence-users
<[email protected]>
Sent: Wednesday, January 16, 2019 9:42 AM
To: [email protected]
Cc: Fabrice Durand <[email protected]>
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN and Scope
are not followed.
CAUTION: This email originated from outside of BAYADA. Beware of links and
attachments.
Hello Benjamin,
so i think i know what happen, you are using the ldap source just for
authorization and if there is no rules that match then packetfence will use the
role of the device.
Can you try to remove the role of the device and make another try ?
Thanks
Fabrice
Le 19-01-15 à 21 h 07, Durand fabrice via PacketFence-users a écrit :
Hello Benjamin,
it looks ok so i will do some test tomorrow and let you know.
Regards
Fabrice
Le 19-01-15 à 14 h 29, Brenek, Benjamin a écrit :
Hello Fabrice,
Sorry for the delay.
We are using an external captive portal (Aerohive) that authenticates
using PacketFence. PacketFence is configured with a radius proxy in
/usr/local/pf/raddb/proxy.conf that forwards to our radius servers
for authorization. Then we use the LDAP authentication source to
auto-register the device.
I have attached:
authentication.conf
profiles.conf
proxy.conf
Thank you,
Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com
-----Original Message-----
From: Durand fabrice <[email protected]>
Sent: Friday, January 11, 2019 6:49 PM
To: Brenek, Benjamin <[email protected]>;
[email protected]
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.
CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.
Hello Benjamin,
just one thing to be sure to understand correctly, do you
authenticate on the portal or is it autoreg via radius ?
Can you send me the authentication.conf and profiles.conf file ?
Thanks
Regards
Fabrice
Le 19-01-11 à 09 h 44, Brenek, Benjamin a écrit :
Hi Fabrice,
I did as requested and ran a capture for ldap traffic between
PacketFence and the ldap source. The BaseDN is correct (ou=Company
Users,dc=subdomain,dc=domain,dc=com) and the scope was correct
(subtree => wholeSubtree). It also appears that all searchRequests
return 0 results, which makes it seem like PacketFence is doing
something even though it shouldn't.
Thank you,
Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com
-----Original Message-----
From: Durand fabrice via PacketFence-users
<[email protected]>
Sent: Thursday, January 10, 2019 6:30 PM
To: [email protected]
Cc: Durand fabrice <[email protected]>
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.
CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.
Hello Benjamin,
what you can do is to capture the ldap traffic between PacketFence
and the ldap source and see with wireshark if the scope/base dn is
what you set in the authentication source.
In the code it does a search for the dn of the user and try to bind
with this dn.
So if the user is not in or under the basedn then the search should
not return anything and the authentication should fail.
So take the capture and see what happen exactly.
Regards
Fabrice
Le 19-01-10 à 10 h 38, Brenek, Benjamin via PacketFence-users a écrit :
Hi Nicolas,
Our authentication rules under the LDAP sources do not check LDAP
attributes, as expected/assumed functionality of the LDAP Source
would be to restrict authorization to the specified Base DN. Is
this expectation/assumption incorrect?
Thank you,
Benjamin Brenek
BAYADA Home Health Care | Intern, Support (NES)
4300 Haddonfield Road | Pennsuaken, NJ 08109
O: 856-380-3008 | Ext: 0527-13 | bayada.com
-----Original Message-----
From: Nicolas Quiniou-Briand <[email protected]>
Sent: Thursday, January 10, 2019 10:20 AM
To: Brenek, Benjamin <[email protected]>;
[email protected]
Subject: Re: [PacketFence-users] LDAP Authentication Source Base DN
and Scope are not followed.
CAUTION: This email originated from outside of BAYADA. Beware of
links and attachments.
Hello Benjamin,
On 2019-01-10 3:54 p.m., Brenek, Benjamin wrote:
Hi Nicolas,
I did as requested. It looks like the authentication comes back
with no matches, yet still authenticates the user. Attached is the
part of the log that relates to authentication of the user.
I saw this:
```
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
[..]
Matched condition SSID equals Company_Employee
(pf::Authentication::Source::match_rule)
```
for both LDAP sources.
Did you have rules on your LDAP sources that check the SSID value
in place of an LDAP attribute ?
--
Nicolas Quiniou-Briand
[email protected] :: +1.514.447.4918 *140 ::
https://link.zixcentral.com/u/1c747c88/kiOYMOsU6RG3087ChnsoMg?u=htt
ps % 3A%2F%2Finverse.ca Inverse inc. :: Leaders behind SOGo
(https://link.zixcentral.com/u/b29309fb/OHiYMOsU6RG3087ChnsoMg?u=ht
tp
s
%3A%2F%2Fsogo.nu), PacketFence
(https://link.zixcentral.com/u/a0bbc547/SNGYMOsU6RG3087ChnsoMg?u=ht
tp
s
%3A%2F%2Fpacketfence.org) and Fingerbank
(https://link.zixcentral.com/u/ded69fd5/cDWZMOsU6RG3087ChnsoMg?u=ht
tp
%
3A%2F%2Ffingerbank.org)
-------------------------------------------------------------------
--
-
------ Links contained in this email have been replaced by
ZixProtect Link Protection. If you click on a link in the email
above, the link will be analyzed for known threats. If a known
threat is found, you will not be able to proceed to the
destination. If suspicious content is detected, you will see a warning.
-------------------------------------------------------------------
--
-
------
Our employees' reviews made us a Best Place to
Work<https://link.zixcentral.com/u/73e0453c/qv2j1C8V6RGE_MLShnsoMg?
u=https%3A%2F%2Fwww.glassdoor.com%2Fsurvey%2Fstart_input.htm%3Fshow
Survey%3DREVIEWS%26employerId%3D153924%26contentOriginHook%3DPAGE_S
RCH_COMPANIES>
in 2018 &2019!
Spread the word and earn a bonus by referring a
friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20
si g nature&utm_medium=email&utm_campaign=Glassdoor%20Award>
[Compassion, Excellence,
Reliability]<https://link.zixcentral.com/u/0527fcad/4kKk1C8V6RGE_ML
Sh n soMg?u=http%3A%2F%2Fbhhc.co%2FBAYemail_site>
[Facebook]<https://link.zixcentral.com/u/d16f1b07/im2k1C8V6RGE_MLSh
ns o Mg?u=http%3A%2F%2Fbhhc.co%2FBAYemail_fb> [Twitter]
<https://link.zixcentral.com/u/e7fb629f/lJWk1C8V6RGE_MLShnsoMg?u=ht
tp % 3A%2F%2Fbhhc.co%2FBAYemail_tw> [LinkedIn]
<https://link.zixcentral.com/u/79dba119/MsCk1C8V6RGE_MLShnsoMg?u=ht
tp % 3A%2F%2Fbhhc.co%2FBAYemail_LI> [YouTube]
<https://link.zixcentral.com/u/4916fa5a/Cu2k1C8V6RGE_MLShnsoMg?u=ht
tp % 3A%2F%2Fbhhc.co%2FBAYemail_yt> [Bayada]
<https://link.zixcentral.com/u/0527fcad/4kKk1C8V6RGE_MLShnsoMg?u=ht
tp
%
3A%2F%2Fbhhc.co%2FBAYemail_site>
CONFIDENTIALITY NOTICE: This email may contain information
belonging to BAYADA and is protected by law. Do not forward, copy,
or otherwise disclose to anyone unless permitted by BAYADA or
required by law. If you are not the intended recipient, please
notify the sender immediately.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://link.zixcentral.com/u/25e30804/aiil1C8V6RGE_MLShnsoMg?u=htt
ps
%
3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-user
s
_______________________________________________
PacketFence-users mailing list
[email protected]
https://link.zixcentral.com/u/25e30804/aiil1C8V6RGE_MLShnsoMg?u=http
s%
3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users
--------------------------------------------------------------------
--
------ Links contained in this email have been replaced by
ZixProtect Link Protection. If you click on a link in the email
above, the link will be analyzed for known threats. If a known
threat is found, you will not be able to proceed to the destination.
If suspicious content is detected, you will see a warning.
--------------------------------------------------------------------
--
------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://link.zixcentral.com/u/9b833146/NtkiRZ0Z6RGrg97ghnsoMg?u=https%
3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc.
:: Leaders behind SOGo
(https://link.zixcentral.com/u/4e3c646f/kBAjRZ0Z6RGrg97ghnsoMg?u=http%3A%2F%2Fwww.sogo.nu)
and PacketFence
(https://link.zixcentral.com/u/d443e751/eFAjRZ0Z6RGrg97ghnsoMg?u=http%3A%2F%2Fpacketfence.org)
_______________________________________________
PacketFence-users mailing list
[email protected]
https://link.zixcentral.com/u/9b833146/NtkiRZ0Z6RGrg97ghnsoMg?u=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users
----------------------------------------------------------------------------
Links contained in this email have been replaced by ZixProtect Link Protection.
If you click on a link in the email above, the link will be analyzed for known
threats. If a known threat is found, you will not be able to proceed to the
destination. If suspicious content is detected, you will see a warning.
----------------------------------------------------------------------------
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
