RE: AD Authentication Permissions
On Wed 1/9/2013 4:31 PM, John Dennis wrote: > I think my bind is working fine now, but my basedn = "o=My Org,c=UA" field > is still wrong. I'm still not sure of the syntax. Any suggestions? I don't see a basedn of "o=My Org,c=UA" anywhere, however I do see a basedn of "ou=Phoenix_Users,dc=company,dc=stc" Hint, rlm_ldap is simply doing what the ldapsearch command does. Try using ldapsearch giving it the parameters you expect to be correct, iterate until the search succeeds, then use those same parameters in your radius ldap config. BTW, your ldap password "Sup3rS3cret" is no longer super secret ;-) Thank you for the hints. I think I'm almost there... I'm testing this with a cisco switch. Using the config in the users file shown below, I receive the message "Welcome Message," but not the level 15 privileges. Users: DEFAULT = LDAP-Group == Radius-Users" Reply-Message = "Welcome Message", Cisco-AVPair = "shell:priv-lvl=15" Do I have to add cisco AVpair to ldap.attrmap or modify the dictionary file? If so, what is the correct syntax for adding it? Thanks again for all of the help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
On 01/09/2013 05:10 PM, Tyler Brady wrote: I think my bind is working fine now, but my basedn = "o=My Org,c=UA" field is still wrong. I'm still not sure of the syntax. Any suggestions? I don't see a basedn of "o=My Org,c=UA" anywhere, however I do see a basedn of "ou=Phoenix_Users,dc=company,dc=stc" Hint, rlm_ldap is simply doing what the ldapsearch command does. Try using ldapsearch giving it the parameters you expect to be correct, iterate until the search succeeds, then use those same parameters in your radius ldap config. BTW, your ldap password "Sup3rS3cret" is no longer super secret ;-) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to office.company.stc:389, authentication 0 [ldap] bind as cn=user name,ou=Phoenix_Users,dc=company,dc=stc/Sup3rS3cret to office.company.stc:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter (uid=tbrady) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for tbrady [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> tbrady [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=tbrady) [ldap] expand: ou=Phoenix_Users,dc=company,dc=stc -> ou=Phoenix_Users,dc=company,dc=stc [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter (uid=tbrady) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AD Authentication Permissions
I think my bind is working fine now, but my basedn = "o=My Org,c=UA" field is still wrong. I'm still not sure of the syntax. Any suggestions? [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to office.company.stc:389, authentication 0 [ldap] bind as cn=user name,ou=Phoenix_Users,dc=company,dc=stc/Sup3rS3cret to office.company.stc:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter (uid=tbrady) [ldap] object not found rlm_ldap::ldap_groupcmp: search failed [ldap] ldap_release_conn: Release Id: 0 ++[files] returns noop [ldap] performing user authorization for tbrady [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> tbrady [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=tbrady) [ldap] expand: ou=Phoenix_Users,dc=company,dc=stc -> ou=Phoenix_Users,dc=company,dc=stc [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=Phoenix_Users,dc=company,dc=stc, with filter (uid=tbrady) [ldap] object not found [ldap] search failed [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns notfound T. Brady -Original Message- From: freeradius-users-bounces+tbrady=stc-comm@lists.freeradius.org [mailto:freeradius-users-bounces+tbrady=stc-comm@lists.freeradius.org] On Behalf Of Mathieu Simon Sent: Wednesday, January 09, 2013 12:53 PM To: FreeRadius users mailing list Subject: Re: AD Authentication Permissions Hi Tyler Since I'm in a similar situation with AD but still learning, just general experience with other Applications from the *nix world authenticating against AD: Your AD admin (you?) needs to create a basic user account, no domain admin needed - who can read the parts of your AD/LDAP tree as John said. (We maintain a couple of srv-* accounts here to quickly distinguis between real user accounts) You'll need the value of the distinguishedName attribute on AD, your Admin can give you this value, but it's hidden by default in the GUI.* For "server=" (don't know of recommended for FR too): You could point to your.domainname, as this is a DNS record maintained by your AD-integrated nameservers who will point to all addresses of your current DCs. BaseDN - yeah, look up a little what it is, it's the base your FR will start looking up inside the LDAP tree. Regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
Hi Tyler Since I'm in a similar situation with AD but still learning, just general experience with other Applications from the *nix world authenticating against AD: 2013/1/9 John Dennis : > On 01/09/2013 02:00 PM, Tyler Brady wrote: >> >> Can someone give more details on setting up LDAP groups? So far I have >> attempted to modify the users file and the ldap module. I can't seem to get >> the ldap module configured properly, but I'm sure that's just one of many >> issues. >> >> ldap { >> # >> # Note that this needs to match the name in the LDAP >> # server certificate, if you're using ldaps. >> server = "ldap.your.domain" >> #identity = "cn=admin,o=My Org,c=UA" >> #password = mypass >> basedn = "o=My Org,c=UA" >> filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" >> #base_filter = "(objectclass=radiusprofile)" >> >> cn = username (is this correct) >> o= domain (is this correct) >> c= ? (what does this field mean) Your AD admin (you?) needs to create a basic user account, no domain admin needed - who can read the parts of your AD/LDAP tree as John said. (We maintain a couple of srv-* accounts here to quickly distinguis between real user accounts) You'll need the value of the distinguishedName attribute on AD, your Admin can give you this value, but it's hidden by default in the GUI.* For "server=" (don't know of recommended for FR too): You could point to your.domainname, as this is a DNS record maintained by your AD-integrated nameservers who will point to all addresses of your current DCs. BaseDN - yeah, look up a little what it is, it's the base your FR will start looking up inside the LDAP tree. Regards Mathieu * http://www.sharepointboost.com/blog/how-to-find-attributes-of-objects-in-active-directory/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
On 01/09/2013 02:00 PM, Tyler Brady wrote: Can someone give more details on setting up LDAP groups? So far I have attempted to modify the users file and the ldap module. I can't seem to get the ldap module configured properly, but I'm sure that's just one of many issues. ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "ldap.your.domain" #identity = "cn=admin,o=My Org,c=UA" #password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" cn = username (is this correct) o= domain (is this correct) c= ? (what does this field mean) identity is the bind dn, it's an ldap concept, refer to ldap literature to learn what a bind dn is. The bind dn you should be using is specific to your deployment, ask whoever is managing your ldap server what to use. Remember this represents a server-to-server binding, not a user-to-server binding, in other words the radius server is binding to your ldap server to perform lookup's related to users and groups thus the identity you bind as will need permission to view that portion of the ldap tree. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: AD Authentication Permissions
Can someone give more details on setting up LDAP groups? So far I have attempted to modify the users file and the ldap module. I can't seem to get the ldap module configured properly, but I'm sure that's just one of many issues. ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "ldap.your.domain" #identity = "cn=admin,o=My Org,c=UA" #password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" cn = username (is this correct) o= domain (is this correct) c= ? (what does this field mean) Thank you, T. Brady - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
G'day Alan(s) 2013/1/5 : > huh? this wasnt about authentication, it was about authorization - ie > passing back details about what a user can do on some kit - that works fine > 100% fine with LDAP and AD Thank you both for pointing in the correct directions by pointing me back at authentication != authorization thing. I'm messing around with configurations files - yes I agree to be a beginner even after some time wrestling with FreeRADIUS now. ;-) The thing I did here in mytest env wasn't actually doing authorization, but "kind of" authentication restriction, via ntlm_auth's "--require-membership-of" parameter during auhtentication phase. Thanks you guys! -- Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
Mathieu Simon wrote: > As short question since Tyler was asking for AD as backend - which I > have read (so far) > can't use the LDAP module since AD stores ntlm hashes - at least not > for authentication. You can't use AD as an LDAP module for *authentication*. > But then for LDAP groups how is that supposed to be done when using > Samba/Winbind/ntlm_auth? You configure AD as an LDAP server. And *don't* use it for authentication. > Can I use LDAP groups for authorization (interestingly something I've > not really found covered online or in FreeRADIUS books I've had at > hand). Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
Hi, > (protest if this may sound like hijacking this thread...) > As short question since Tyler was asking for AD as backend - which I > have read (so far) > can't use the LDAP module since AD stores ntlm hashes - at least not > for authentication. huh? this wasnt about authentication, it was about authorization - ie passing back details about what a user can do on some kit - that works fine 100% fine with LDAP and AD > But then for LDAP groups how is that supposed to be done when using > Samba/Winbind/ntlm_auth? ?? it isnt. ntlm_auth/samba/winbindd is purely for authentication - for authorization you use the LDAP module talking to your AD and use the AD as a DB oracle not an authentication source > Can I use LDAP groups for authorization (interestingly something I've > not really found covered online or in FreeRADIUS books I've had at > hand). its all covered in the books/docs/wiki alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
G'day all 2013/1/5 Alan DeKok : [snip] > > Set up groups in LDAP. See the LDAP / AD documentation. > > Then, in FreeRADIUS, check them: > > #-- users file > DEFAULT LDAP-Group == "foo", ... > ... > > #--- (protest if this may sound like hijacking this thread...) As short question since Tyler was asking for AD as backend - which I have read (so far) can't use the LDAP module since AD stores ntlm hashes - at least not for authentication. But then for LDAP groups how is that supposed to be done when using Samba/Winbind/ntlm_auth? Can I use LDAP groups for authorization (interestingly something I've not really found covered online or in FreeRADIUS books I've had at hand). Best regards Mathieu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AD Authentication Permissions
Tyler Brady wrote: > I am setting up a freeRADIUS (2.1.10) server for my network. I have > everything working how I want it to except for some of the permission > settings. For example, when users log in to Motorola radios in my > network via freeRADIUS they only receive read-only permissions. Or when > a Cisco user logs in I would like for them to receive automatic > #privilege level 15. I need for users to receive admin privileges. How > do I accomplish this? Use LDAP groups. > NOTE: I’m authenticating against active directory. So where can I > configure things like “/cisco/-/avpair/ = /shell/:/priv/-/lvl=15, or > Motorola-WIBB-Auth-Role = system-admin-role?” I// understand how to > configure permissions when you have individual users configured in > users.conf. file. How do you configure permissions when you don’t have > any local users configured, but are using Active Directory?/ Groups. > /Right now I use only one Active Directory group “//Radius-Users//” for > authentication. If a user is part of the //Radius-Users// group on the > AD server, then they get access. This is fine for now, but in the future > I would like to set up more granular access control. I have seen a lot > of talk about LDAP groups, but have not been able to find decent > information on it. Ideally I would like for there to be several > different user groups set up with different permissions for each. How do > you accomplish this with freeRADIUS + Active Directory?/ Set up groups in LDAP. See the LDAP / AD documentation. Then, in FreeRADIUS, check them: #-- users file DEFAULT LDAP-Group == "foo", ... ... #--- Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html