Cisco ASA with fall through auth for LDAP and Active Directory
Hi all, I'm trying to setup freeradius-2.x to provide authentication for a Cisco ASA VPN. When the packet comes in I'd like to first check the LDAP database to see if the user/pass combination work and if it not then check against Active Directory (using ntlm_auth). Both LDAP and AD (via ntlm_auth) work separately. I've used the following URL to setup the AD connectivity (via /etc/modules/ntlm_auth for PAP and /etc/modules/mschap for MSCHAP): http://deployingradius.com/documents/configuration/active_directory.html Everything works as expected here. The username and password come across in clear text, from the VPN, and are handed to ntlm_auth which is then able to authenticate the user. I'm stuck at trying to get freeradius to first check LDAP and then check AD if the LDAP server says that the username and password combo are not good. I've searched both the mailing list and google but am confused by some of the answers given, specifically this message seems to be talking about a similar situation: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg59368.html Any help would be greatly appreciated. Cheers, Harry - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> And many requests later you ask about it: > > >++? if (control:Tmp-String-0 == "ldap-student") > >(Attribute control:Tmp-String-0 was not found) > > .. and it's not there. Of course it's not, since it wasn't > set during processing of that Access-Request but much earlier > in the exchange. Obvious when it's pointed out but I really don't understand the whole process yet. I'll keep reading the docs until I do! > I would suggest that you move unlang statements to > inner-tunnel virtual server. You can do update reply and set > Reply-Message in authorize there (forget about temp attribute > and changeing it in post-auth). Just enable > use_tunneled_reply in peap section of eap.conf and > Reply-Message will be passed on from inner tunnel into the > final reply. > All working now. Thank you. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
>Here's the complete debug (excluding the server start-up messages). There's
>rather a lot of it which is why I tried to post the bits relevant to what I'm
>trying (rather unsuccessfully :-) ) to understand.
>
>rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36,
>length=148
..
>[ldap_staff] search failed
>rlm_ldap: ldap_release_conn: Release Id: 0
>++[ldap_staff] returns notfound
>++? if (ok)
>? Evaluating (ok) -> FALSE
>++? if (ok) -> FALSE
>++- entering else else {...}
..
>+++[ldap_student] returns ok
>+++? if (ok)
>? Evaluating (ok) -> TRUE
>+++? if (ok) -> TRUE
>+++- entering if (ok) {...}
That is the unlang construction - in default virtual server.
>[control] returns ok
I assume this is where you set temp attribute.
>+++- if (ok) returns ok
>+++ ... skipping else for request 0: Preceding "if" was taken
>++- else else returns ok
And then it goes on ...
>Sending Access-Challenge of id 36 to 10.127.240.217 port 1645
..
>rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37,
>length=159
etc.
And many requests later you ask about it:
>++? if (control:Tmp-String-0 == "ldap-student")
>(Attribute control:Tmp-String-0 was not found)
.. and it's not there. Of course it's not, since it wasn't set during
processing of that Access-Request but much earlier in the exchange.
I would suggest that you move unlang statements to inner-tunnel virtual
server. You can do update reply and set Reply-Message in authorize there
(forget about temp attribute and changeing it in post-auth). Just enable
use_tunneled_reply in peap section of eap.conf and Reply-Message will be
passed on from inner tunnel into the final reply.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> Can you post the whole debug, not just snipetts. Are these
> from the same or from different requests in the exchange?
> Perhaps you need use_tunneled_reply rather than this.
>
Here's the complete debug (excluding the server start-up messages). There's
rather a lot of it which is why I tried to post the bits relevant to what I'm
trying (rather unsuccessfully :-) ) to understand.
Leighton
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=36,
length=148
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x0203000d01636d73786c656967
Message-Authenticator = 0xbc90b1b0b5ceba80a6767ff94c59ed43
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
NAS-IP-Address = 10.127.240.217
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "cmsxleig", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "cmsxleig"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[ldap_staff] performing user authorization for cmsxleig
[ldap_staff]expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
(sAMAccountName=cmsxleig)
[ldap_staff]expand: ou=staff, dc=ad, dc=hud, dc=ac, dc=uk -> ou=staff,
dc=ad, dc=hud, dc=ac, dc=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0
rlm_ldap: bind as
cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to
burns.hud.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=staff, dc=ad, dc=hud, dc=ac, dc=uk, with
filter (sAMAccountName=cmsxleig)
rlm_ldap: object not found or got ambiguous search result
[ldap_staff] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap_staff] returns notfound
++? if (ok)
? Evaluating (ok) -> FALSE
++? if (ok) -> FALSE
++- entering else else {...}
[ldap_student] performing user authorization for cmsxleig
[ldap_student] expand: (sAMAccountName=%{mschap:User-Name:-%{User-Name}}) ->
(sAMAccountName=cmsxleig)
[ldap_student] expand: ou=students, dc=ad, dc=hud, dc=ac, dc=uk ->
ou=students, dc=ad, dc=hud, dc=ac, dc=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to burns.hud.ac.uk:389, authentication 0
rlm_ldap: bind as
cn=username,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk/passwd to
burns.hud.ac.uk:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with
filter (sAMAccountName=cmsxleig)
[ldap_student] looking for check items in directory...
[ldap_student] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap_student] user cmsxleig authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_student] returns ok
+++? if (ok)
? Evaluating (ok) -> TRUE
+++? if (ok) -> TRUE
+++- entering if (ok) {...}
[control] returns ok
+++- if (ok) returns ok
+++ ... skipping else for request 0: Preceding "if" was taken
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may
fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 36 to 10.127.240.217 port 1645
EAP-Message = 0x010400160410d7424da981434c0db858d196aa1331b4
Message-Authenticator = 0x
State = 0x5de163455de567c927acd591e49a319b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.127.240.217 port 1645, id=37,
length=159
User-Name = "cmsxleig"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-1B-54-DB-BB-01"
Calling-Station-Id = "00-1B-63-B0-C9-E9"
EAP-Message = 0x020400060319
Message-Authenticator = 0x4dbcf0832938a2550152bfdcb815ec8c
NAS-Port-Type = Ethernet
NAS-Port = 50001
NAS-Port-Id = "FastEthernet0/1"
State = 0x5de163455de567c927acd591e49a319b
NAS-IP-Address = 10.127.240.217
+- entering group authorize {..
RE: Config. Help please - ldap and Active Directory
>And I get:
>
> ++[eap] returns ok
>+- entering group post-auth {...}
>++[exec] returns noop
>++? if (control:Tmp-String-0 == "ldap-student")
>(Attribute control:Tmp-String-0 was not found)
>Sending Access-Accept of id 129 to 10.127.240.217 port 1645
>
>Towards the beginning of the debug output is:
>
>rlm_ldap: Bind was successful
>rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with
>filter (sAMAccountName=cmsxleig)
>[ldap_student] looking for check items in directory...
>[ldap_student] looking for reply items in directory...
>WARNING: No "known good" password was found in LDAP. Are you sure that the
>user is configured correctly?
>[ldap_student] user cmsxleig authorized to use remote access
>rlm_ldap: ldap_release_conn: Release Id: 0
>+++[ldap_student] returns ok
>+++? if (ok)
>? Evaluating (ok) -> TRUE
>+++? if (ok) -> TRUE
>+++- entering if (ok) {...}
>[control] returns ok
>+++- if (ok) returns ok
>+++ ... skipping else for request 0: Preceding "if" was taken
>++- else else returns ok
>++[expiration] returns noop
>++[logintime] returns noop
>
Can you post the whole debug, not just snipetts. Are these from the same
or from different requests in the exchange? Perhaps you need
use_tunneled_reply rather than this.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
>
> Update a server-side attribute when you use the module:
>
> update control {
> Tmp-String-0 = "ldap-student"
> }
>
> then in post-auth:
>
> if (control:Tm-String-0 == "ldap-student") {
> ...
>
> }
>
I'm really grateful for all your help but it still doesn't work and after hours
of experimenting, here's where I am:
I add
if (control:Tmp-String-0 == "ldap-student") {
update reply {
Reply-Message := "User is student"
}
}
To the end of the post-auth section and radiusd -X reports:
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
(Attribute control:Tmp-String-0 was not found)
Sending Access-Accept of id 53 to 10.127.240.217 port 1645
Fair enough - The user is authenticated but Tmp-String-0 hasn't been assigned a
string.
I add
update control {
Tmp-String-0 = "ldap-student"
}
To the beginning of the post-auth section and radiusd -X reports:
++[eap] returns ok
+- entering group post-auth {...}
++[control] returns noop
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
? Evaluating (control:Tmp-String-0 == "ldap-student") -> TRUE
++? if (control:Tmp-String-0 == "ldap-student") -> TRUE
++- entering if (control:Tmp-String-0 == "ldap-student") {...}
+++[reply] returns noop
++- if (control:Tmp-String-0 == "ldap-student") returns noop
Sending Access-Accept of id 101 to 10.127.240.217 port 1645
OK so far, so I move
update control {
Tmp-String-0 = "ldap-student"
}
To the authorise section thus:
ldap_staff
if (ok) {
update reply {
Reply-Message = "ldap-staff"
}
}
else {
ldap_student
if (ok) {
update control {
Tmp-String-0 = "ldap-student"
}
}
else {
reject
}
}
And I get:
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
++? if (control:Tmp-String-0 == "ldap-student")
(Attribute control:Tmp-String-0 was not found)
Sending Access-Accept of id 129 to 10.127.240.217 port 1645
Towards the beginning of the debug output is:
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with
filter (sAMAccountName=cmsxleig)
[ldap_student] looking for check items in directory...
[ldap_student] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap_student] user cmsxleig authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ldap_student] returns ok
+++? if (ok)
? Evaluating (ok) -> TRUE
+++? if (ok) -> TRUE
+++- entering if (ok) {...}
[control] returns ok
+++- if (ok) returns ok
+++ ... skipping else for request 0: Preceding "if" was taken
++- else else returns ok
++[expiration] returns noop
++[logintime] returns noop
Does "[control] returns ok" mean the string was successfully assigned? If
so, how do I find where it gets lost?
A search for ldap-s through the file only produces two matches, one where the
string is assigned and the other where it is tested. Similarly a search for
Tmp-Str only finds two matches.
History | grep vi shows I haven't accidentally edited another file.
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote:
> Logic now working correctly - Many thanks
> Final problem is to return reply attributes in the access accept message. As
> a test I added Reply-Message := "User is staff" in the update reply section
> and the server duly added it to the next access challenge message. I assume I
> need something in the post-auth section?
Yes.
> How do I pass information about which ldap instance was successful in the
> authorize section to post-auth?
Update a server-side attribute when you use the module:
update control {
Tmp-String-0 = "ldap-student"
}
then in post-auth:
if (control:Tm-String-0 == "ldap-student") {
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
>
> see "man unlang". The syntax and examples are documented.
>
Read it many times. The problem is not the documentation, which is great, but
my understanding which isn't!
I'm working on it but finding it heavy going.
>
>...
>ldap_staff
>if (ok) {
> update reply {
>...
> }
>}
>else {
> ldap_student
> if (ok) {
> update reply {
> ...
> }
> }
> else {
> reject
> }
>}
Logic now working correctly - Many thanks
Final problem is to return reply attributes in the access accept message. As a
test I added Reply-Message := "User is staff" in the update reply section and
the server duly added it to the next access challenge message. I assume I need
something in the post-auth section?
How do I pass information about which ldap instance was successful in the
authorize section to post-auth?
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote:
> I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts.
> I can't do "if Ldap-Group" because there is no container in Active Directory
> above staff and student to query.
>
> What I think I need is:
>
> if ladp_staff returns "ok" {
> update reply{
> ..
> }
> elsif ladp_student returns "ok" {
> update reply{
> ..
> }
> else {
> Auth-Type := Reject
> }
>
> ,where ldap_staff and ldap_student are instances of the ldap module
> I simply can't get the syntax right.
see "man unlang". The syntax and examples are documented.
...
ldap_staff
if (ok) {
update reply {
...
}
}
else {
ldap_student
if (ok) {
update reply {
...
}
}
else {
reject
}
}
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> Now I'm trying to return different reply attributes
> depending on Active Directory group membership and restrict
> which groups can authenticate. Ldap lookups against the
> active directory root fail with operation error.
> Reconfiguring Active Directory is not a viable option so I
> have to specify an OU= in the query. I have configured
> two instances of the ldap module for authorisation, one to
> query the staff ou and the other to query the student ou.
> Both work OK for valid queries but if the user does not exist
> in the ou the server still authenticates the
> username/password and grants access if valid.
>
> You need to upgrade to 2.x and use unlang. See man unlang on
> freeradius site. You need something like:
>
> if Ldap-Group == staff { do something }
> elsif Ldap-Group == student { do something else} else update
> control { to reject }
>
I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts.
I can't do "if Ldap-Group" because there is no container in Active Directory
above staff and student to query.
What I think I need is:
if ladp_staff returns "ok" {
update reply{
..
}
elsif ladp_student returns "ok" {
update reply{
..
}
else {
Auth-Type := Reject
}
,where ldap_staff and ldap_student are instances of the ldap module
I simply can't get the syntax right.
Am I on the right track? If so, a little help please.
Regards,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Hmm... would it be possible to have to give *more* output? i.e. start from a fresh directory: $ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $ ./configure $ gmake And show the errors (not the dozens of lines saying "building foo", or the last dozen lines saying "error"), but the real informative errors about building dict.c, and what errors were encountered building dict.c. The only way I can see that error happening is if the source and/or build process is broken. Alan DeKok. >From the beginning: rm -rf freeradius-server-2.1.3 tar xvf freeradius-server-2.1.3.tar (it's already been unzipped with "gzip -d") cd freeradius-server-2.1.3 ./configure | grep configure ...Lots of output including: configure: WARNING: pcap library not found, silently disabling the RADIUS sniffer. config.status: WARNING: ./Make.inc.in seems to ignore the --datarootdir setting config.status: WARNING: ./src/include/build-radpaths-h.in seems to ignore the --datarootdir setting configure: WARNING: silently not building rlm_counter. configure: WARNING: FAILURE: rlm_counter requires: libgdbm. configure: WARNING: EVP_sha256 not found, may have issues wirh WiMAX certificates configure: WARNING: the TNCS libraryconfigure: WARNING: silently not building rlm_ippool. configure: WARNING: FAILURE: rlm_ippool requires: libgdbm. isn't found! configure: WARNING: silently not building rlm_perl. configure: WARNING: FAILURE: rlm_perl requires: EXTERN.h perl.h libperl.so. configure: WARNING: silently not building rlm_eap_tnc. configure: WARNING: FAILURE: rlm_eap_tnc requires: -lTNCS. configure: WARNING: silently not building rlm_eap_ikev2. configure: WARNING: FAILURE: rlm_eap_ikev2 requires: libeap-ikev2 EAPIKEv2/connector.h. configure: WARNING: the comm_err library isn't found! configure: WARNING: silently not building rlm_krb5. configure: WARNING: FAILURE: rlm_krb5 requires: krb5.h.configure: WARNING: silently not building rlm_python. configure: WARNING: FAILURE: rlm_python requires: Python.h libpython2.3. configure: WARNING: silently not building rlm_sql_iodbc. configure: WARNING: FAILURE: rlm_sql_iodbc requires: libiodbc isql.h. configure: WARNING: oracle headers not found. Use --with-oracle-home-dir=. configure: WARNING: silently not building rlm_sql_oracle. configure: WARNING: FAILURE: rlm_sql_oracle requires: oci.h. configure: WARNING: silently not building rlm_sql_unixodbc. configure: WARNING: FAILURE: rlm_sql_unixodbc requires: libodbc sql.h. Then: gmake Got the error about undefined symbol SUN_LEN Edited src/include/radiusd.h Gmake ...and it all compiles OK. Not sure what I did wrong the first time but many thanks for your help. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
> >Is there any way to do what I want without upgrading? > You can try users file: DEFAULT Ldap-Group == staff some reply DEFAULT Ldap-Group == student some other reply DEFAULT Auth-Type := Reject That should be at the end of the users file (ie. anything below this will never match) and you need to fall through if there are other user file entries. These can't have Fall-Through. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote: > Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT > -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS > -I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o > .libs/dict.o" (copy and paste from the gmake output) from the src/libs > directory. Same error both times. Hmm... would it be possible to have to give *more* output? i.e. start from a fresh directory: $ tar -zxf freeradius-server-2.1.3.tar.gz $ cd freeradius-server 2.1.3 $ ./configure $ gmake And show the errors (not the dozens of lines saying "building foo", or the last dozen lines saying "error"), but the real informative errors about building dict.c, and what errors were encountered building dict.c. The only way I can see that error happening is if the source and/or build process is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
Huh? It compiles on 3-4 different Solaris boxes that I have access to. Did you run "make" from the TOP directory, or by cd'ing to src/lib? Alan DeKok. Tried "gmake" from the top directory and "gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -DNDEBUG -D_LIBRADIUS -I/export/home/cmsxljm/freeradius-server-2.1.3/src -c dict.c -fPIC -DPIC -o .libs/dict.o" (copy and paste from the gmake output) from the src/libs directory. Same error both times. Leighton - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Leighton Man wrote: > Many thanks for this. I'm using 1.1.7 because it's available as a pre-built > package on solaris for both sparc and x86 architectures. The idea is to get > freeradius configured and working as fast as possible so it can be demo'd to > management (I'm trying to retire Cisco ACS). Then to test it on x86 standard > build which is being developed in parallel. Then, if all works, upgrade to > latest version. > Version 2.1.3 won't compile on my solaris box and the problem looks, to me, > non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a > function)) Huh? It compiles on 3-4 different Solaris boxes that I have access to. Did you run "make" from the TOP directory, or by cd'ing to src/lib? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Config. Help please - ldap and Active Directory
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
>so please have patience.
>I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
>authenticate against Active Directory using ntlm-auth.
>All working OK.
>Now I'm trying to return different reply attributes depending on Active
>Directory group membership and restrict which groups can authenticate. Ldap
>lookups against the active directory root fail with operation error.
>Reconfiguring Active Directory is not a viable option so I have to specify an
>OU= in the query. I have configured two instances of the ldap module for
>authorisation, one to query the staff ou and the other to query the student
>ou. Both work OK for valid queries but if the user does not exist in the ou
>the server still authenticates the username/password and grants access if
>valid.
You need to upgrade to 2.x and use unlang. See man unlang on freeradius site.
You need something like:
if Ldap-Group == staff { do something }
elsif Ldap-Group == student { do something else} else update control { to
reject }
Ivan Kalik
Kalik Informatika ISP
Many thanks for this. I'm using 1.1.7 because it's available as a pre-built
package on solaris for both sparc and x86 architectures. The idea is to get
freeradius configured and working as fast as possible so it can be demo'd to
management (I'm trying to retire Cisco ACS). Then to test it on x86 standard
build which is being developed in parallel. Then, if all works, upgrade to
latest version.
Version 2.1.3 won't compile on my solaris box and the problem looks, to me,
non-trivial. (dict.c:83: error: `PW_TYPE_STRING' undeclared here (not in a
function))
Is there any way to do what I want without upgrading?
Regards,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
>I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
>so please have patience.
>I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
>authenticate against Active Directory using ntlm-auth.
>All working OK.
>Now I'm trying to return different reply attributes depending on Active
>Directory group membership and restrict which groups can authenticate. Ldap
>lookups against the active directory root fail with operation error.
>Reconfiguring Active Directory is not a viable option so I have to specify an
>OU= in the query. I have configured two instances of the ldap module for
>authorisation, one to query the staff ou and the other to query the student
>ou. Both work OK for valid queries but if the user does not exist in the ou
>the server still authenticates the username/password and grants access if
>valid.
You need to upgrade to 2.x and use unlang. See man unlang on freeradius
site. You need something like:
if Ldap-Group == staff { do something }
elsif Ldap-Group == student { do something else}
else update control { to reject }
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Config. Help please - ldap and Active Directory
Am 06.03.2009 um 12:20 schrieb Leighton Man:
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists
(second attempt) so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured
to authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply attributes depending on
Active Directory group membership and restrict which groups can
authenticate. Ldap lookups against the active directory root fail
with operation error. Reconfiguring Active Directory is not a
viable option so I have to specify an OU= in the query. I have
configured two instances of the ldap module for authorisation, one
to query the staff ou and the other to query the student ou. Both
work OK for valid queries but if the user does not exist in the ou
the server still authenticates the username/password and grants
access if valid. Relevant debug output:
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac,
dc=uk, with filter (sAMAccountName=stafftest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_student" returns notfound for
request 8
modcall: leaving group student (returns notfound) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
...
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 104 to 10.127.240.217 port 1645
Relevant bits of radiusd.conf:
ldap ldap_student{
server = "server.hud.ac.uk"
identity =
"cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
password = secret
Try using := instead of = or == You have to assign the password, not
compare to it. Also perhaps you should use Cleartext-Password if the
password is in clear here.
port = 636
basedn = "ou=students, dc=ad, dc=hud,
dc=ac, dc=uk"
filter = "(sAMAccountName=%{mschap:User-Name:-%
{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter = "(|(&
(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&
(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
instantiate {
exec
expr
ldap_staff
ldap_student
}
authorize {
preprocess
mschap
suffix
eap
Autz-Type staff{
ldap_staff
}
Autz-Type student{
ldap_student
}
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
I want to reject the user if they are not in the relevant ou. I
must be missing something obvious. Can anyone help please?
Thanks in advance,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Config. Help please - ldap and Active Directory
Hi,
I'm new to freeradius (3 weeks experience) and mailing lists (second attempt)
so please have patience.
I have freeradius 1.1.7 (prebuilt package) on Solaris 10 configured to
authenticate against Active Directory using ntlm-auth.
All working OK.
Now I'm trying to return different reply attributes depending on Active
Directory group membership and restrict which groups can authenticate. Ldap
lookups against the active directory root fail with operation error.
Reconfiguring Active Directory is not a viable option so I have to specify an
OU= in the query. I have configured two instances of the ldap module for
authorisation, one to query the staff ou and the other to query the student ou.
Both work OK for valid queries but if the user does not exist in the ou the
server still authenticates the username/password and grants access if valid.
Relevant debug output:
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with
filter (sAMAccountName=stafftest)
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap_student" returns notfound for request 8
modcall: leaving group student (returns notfound) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
...
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: leaving group authenticate (returns ok) for request 8
Sending Access-Accept of id 104 to 10.127.240.217 port 1645
Relevant bits of radiusd.conf:
ldap ldap_student{
server = "server.hud.ac.uk"
identity =
"cn=user,ou=Specials,ou=Staff,dc=ad,dc=hud,dc=ac,dc=uk"
password = secret
port = 636
basedn = "ou=students, dc=ad, dc=hud, dc=ac, dc=uk"
filter = "(sAMAccountName=%{mschap:User-Name:-%{User-Name}})"
start_tls = no
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
instantiate {
exec
expr
ldap_staff
ldap_student
}
authorize {
preprocess
mschap
suffix
eap
Autz-Type staff{
ldap_staff
}
Autz-Type student{
ldap_student
}
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
I want to reject the user if they are not in the relevant ou. I must be missing
something obvious. Can anyone help please?
Thanks in advance,
Leighton
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: LDAP and Active Directory
Hello Marc, Sunday, July 4, 2004, 2:32:45 PM, you wrote: MJ> Just a last question : MJ> I need OpenLDAP when I compile FreeRadius, but once FreeRadius is compiled, MJ> can I remove OpenLDAP or must I keep it running ? I guess you should keep OpenLDAP installation because of freeradius dependency on libldap etc. -- Best regards, Alexandermailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and Active Directory
Thx, this will help me, Just a last question : I need OpenLDAP when I compile FreeRadius, but once FreeRadius is compiled, can I remove OpenLDAP or must I keep it running ? Marc - Original Message - From: "Dustin Doris" <[EMAIL PROTECTED]> To: "freeradius-users" <[EMAIL PROTECTED]> Sent: Friday, July 02, 2004 17:12 Subject: Re: LDAP and Active Directory > Hi, > > This may look like a reccuring question, but I've checked the > whole mailing list and many other websites but this isn't > clear to me. > > > I'm currently working on a gateway using a very poor but > strong configuration of free radius. > This gateway has installed the minimal configuration to made > it as lightweight and strong as possible ! > > My question is the following : > My bosses wants me to make my Linux box join some of the > centralized user db we have. Our society has 4 kind of > (different) user databases including NIS, LDAP, Active > Directory, MySQL, ... > > So to make radius authenticate using NIS there is no problem. > But to add (or just modify) the authentication server to > Active Directory I understood (from many sources) that this is > possible, but not how to do that. > > Is the Radius configuration file enough or should I install > some applications ? Such as OpenLDAP ? Kerberos ? OpenSSL ? > Samba NTLM ? You'll need to install openldap before you compile freeradius for it to use ldap. > Any advice will be appriciated. Thx... > > Marc > Hope that helps. Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP and Active Directory
> Hi,
>
> This may look like a reccuring question, but I've checked the
> whole mailing list and many other websites but this isn't
> clear to me.
>
>
> I'm currently working on a gateway using a very poor but
> strong configuration of free radius.
> This gateway has installed the minimal configuration to made
> it as lightweight and strong as possible !
>
> My question is the following :
> My bosses wants me to make my Linux box join some of the
> centralized user db we have. Our society has 4 kind of
> (different) user databases including NIS, LDAP, Active
> Directory, MySQL, ...
>
> So to make radius authenticate using NIS there is no problem.
> But to add (or just modify) the authentication server to
> Active Directory I understood (from many sources) that this is
> possible, but not how to do that.
>
> Is the Radius configuration file enough or should I install
> some applications ? Such as OpenLDAP ? Kerberos ? OpenSSL ?
> Samba NTLM ?
You'll need to install openldap before you compile freeradius for it to
use ldap.
>
> Moreover, I haven't a direct access to a Windows PDC, should I
> need one ?
You will need to have direct access to the windows active directory
server, port 389 (if that's what it listens on).
> I don't know LDAP well, so can someone which as a common
> configuration give me a sample configuration file(s).
The radiusd.conf file will show this most of what you need to do. You'll
need to modify the ldap section of that file. Please make sure you create
a user in Active Directory with read access. This is the user that you
will put in identity and password. You'll need to bind with that user to
active directory to do a search on the user logging in. AD doesn't allow
anonymous searches, so you'll need to create a user with read access.
In basedn, you'll specify the base of where your users are stored in
Active Directory. It will look something like this.
basedn = "ou=system users,dc=yourdomain,dc=com"
You'll have to find out where in the ldap directory the users are stored
and modify basedn to fit that.
Then in filter, you will specify the lookup for the user. It will look
something like this.
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
>
> Can FreeRadius been extended in a SSO architecure ?
Sure, if all your users are located in a place that freeradius can connect
to, such as active directory.
> Any advice will be appriciated. Thx...
>
> Marc
>
> Accédez au courrier électronique de La Poste : www.laposte.net ;
> 3615 LAPOSTENET (0,34/mn) ; tél : 08 92 68 13 50 (0,34/mn)
>
Hope that helps.
Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP and Active Directory
Hi, This may look like a reccuring question, but I've checked the whole mailing list and many other websites but this isn't clear to me. I'm currently working on a gateway using a very poor but strong configuration of free radius. This gateway has installed the minimal configuration to made it as lightweight and strong as possible ! My question is the following : My bosses wants me to make my Linux box join some of the centralized user db we have. Our society has 4 kind of (different) user databases including NIS, LDAP, Active Directory, MySQL, ... So to make radius authenticate using NIS there is no problem. But to add (or just modify) the authentication server to Active Directory I understood (from many sources) that this is possible, but not how to do that. Is the Radius configuration file enough or should I install some applications ? Such as OpenLDAP ? Kerberos ? OpenSSL ? Samba NTLM ? Moreover, I haven't a direct access to a Windows PDC, should I need one ? I don't know LDAP well, so can someone which as a common configuration give me a sample configuration file(s). Can FreeRadius been extended in a SSO architecure ? Any advice will be appriciated. Thx... Marc Accédez au courrier électronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,34/mn) ; tél : 08 92 68 13 50 (0,34/mn) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
