[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Having issues interpreting ldap search/filter attributes
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2020-08-19 15:06:14
Message-ID: 1522C2E9-0F72-49D0-8E42-ED595A56B0F5 () deployingradius ! com
[Download RAW message or body]

On Aug 17, 2020, at 9:55 PM, Steve Phillips <steve@focb.co.nz> wrote:
> Firstly, can I say thanks for the previous mail, it helped quite a bit when it came \
> to understanding how to check the rlm_ldap 'search' parameter against ldapsearch to \
> see what comes back. I've since noticed some interesting things.

  OK.

> Firstly, nested groups, I can say we are not searching for nested groups, the group \
> being searched against (Lets call it "ACCESS_2FA") is happily returning the user \
> object when a search is done using ldapsearch on this group.

  That's good.

> I think I have found the issue though but I am unsure on how to fix it.
> 
> When I perform the initial bind, I am doing this as a user supplied in the \
> user-name radius attribute, and this is then converted to "username@domain" as an \
> LDAP-UserDN using the 'sites-enabled' section as follows 
> authorize {
> auth_log
> if (&User-Password) {
> # If !State and User-Password (PAP) then force LDAP
> update control {
> Ldap-UserDN := "%{User-Name}@example.com"
> Auth-Type := LDAP
> }
> }
> }

  OK... 

> From here, authentication happens
> 
> authenticate {
> Auth-Type LDAP {
> # Attempt to authenticate with a direct bind
> ldap
> }
> }
> 
> And this seems to succeed. (I was using files for authorization to perform the \
> LDAP-Group match but changed to post-auth)

  That's good.

> post-auth {
> update {
> &reply: += &session-state:
> }
> if (LDAP-Group == "ACCESS_2FA") {
> update reply {
> Reply-Message = "OMG, it worked"
> }
> }
> }
> 
> No problem, and now I can see it is trying to check that the LDAP-Group matches for \
> the LDAP-UserDN username OR username@example.com 
> (From the modules-enabled/ldap) 
> 
> group {
> membership_filter = "(|(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
> }
> 
> Which seems to fail, as the group match is looking for \
> CN=<fullname>,OU=Users,DC=example,DC=com. I can verify this by changing the \
> membership_filter to

  I'm not sure what you mean by <fullname>.  Which field is it actually using?

> membership_filter = '(|(member=CN=Steve Phillips,OU=Users,DC=example, 
> DC=com)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))'
> 
> And this actually works (though is obviously not practical as no one logs in with \
> their 'full name') 
> No problem, we are getting somewhere, I had read that we can also perform a lookup \
> on the user object rather than the group object (filter = '(objectclass=user)') as \
> this way I can match the account name using the sAMAccountName and then perform a \
> match on memberOf object using the full "CN=<group> 
> Checking with ldapsearch, I worked out that the search \
> (&(objectclass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))  
> Returns the user object, but when I try to implement this in the ldap module it \
> seems to want to turn the search into.. 
> Debug: (0)     Searching for user in group "ACCESS_2FA"
> ...
> Debug: (0)       EXPAND \
> (&(cn=ACCESS_2FA)(objectclass=user)(|(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})))
>                 
> Debug: (0)          --> \
> (&(cn=ACCESS_2FA)(objectclass=user)(|(sAMAccountName=user001))) 
> And the check fails again.

  What user identifier should be used for the ldap search?

> My ldap module is as follows
> 
> ldap {
> server = '10.0.0.50'
> basedn = "dc=example,dc=com"
> identity = 'CN=Steve Phillips,OU=Users,DC=example,DC=com'
> password = MyPassword

  That should be a "read-only" LDAP admin account.  It should generally NOT be the \
account of a particular user.

> Am I missing a directive to say 'please lookup the user objectClass not the group \
> objectClass' to get it to lookup the group in the user object rather than the user \
> in the group object? - I couldn't see anything in the rlm_ldap comments.

  The LDAP schema should be normal.  Why does it have to look up something in a \
different place?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]