[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Having issues interpreting ldap search/filter attributes
From: Alan DeKok <aland () deployingradius ! com>
Date: 2020-08-19 15:06:14
Message-ID: 1522C2E9-0F72-49D0-8E42-ED595A56B0F5 () deployingradius ! com
[Download RAW message or body]
On Aug 17, 2020, at 9:55 PM, Steve Phillips <steve@focb.co.nz> wrote:
> Firstly, can I say thanks for the previous mail, it helped quite a bit when it came \
> to understanding how to check the rlm_ldap 'search' parameter against ldapsearch to \
> see what comes back. I've since noticed some interesting things.
OK.
> Firstly, nested groups, I can say we are not searching for nested groups, the group \
> being searched against (Lets call it "ACCESS_2FA") is happily returning the user \
> object when a search is done using ldapsearch on this group.
That's good.
> I think I have found the issue though but I am unsure on how to fix it.
>
> When I perform the initial bind, I am doing this as a user supplied in the \
> user-name radius attribute, and this is then converted to "username@domain" as an \
> LDAP-UserDN using the 'sites-enabled' section as follows
> authorize {
> auth_log
> if (&User-Password) {
> # If !State and User-Password (PAP) then force LDAP
> update control {
> Ldap-UserDN := "%{User-Name}@example.com"
> Auth-Type := LDAP
> }
> }
> }
OK...
> From here, authentication happens
>
> authenticate {
> Auth-Type LDAP {
> # Attempt to authenticate with a direct bind
> ldap
> }
> }
>
> And this seems to succeed. (I was using files for authorization to perform the \
> LDAP-Group match but changed to post-auth)
That's good.
> post-auth {
> update {
> &reply: += &session-state:
> }
> if (LDAP-Group == "ACCESS_2FA") {
> update reply {
> Reply-Message = "OMG, it worked"
> }
> }
> }
>
> No problem, and now I can see it is trying to check that the LDAP-Group matches for \
> the LDAP-UserDN username OR username@example.com
> (From the modules-enabled/ldap)
>
> group {
> membership_filter = "(|(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"
> }
>
> Which seems to fail, as the group match is looking for \
> CN=<fullname>,OU=Users,DC=example,DC=com. I can verify this by changing the \
> membership_filter to
I'm not sure what you mean by <fullname>. Which field is it actually using?
> membership_filter = '(|(member=CN=Steve Phillips,OU=Users,DC=example,
> DC=com)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))'
>
> And this actually works (though is obviously not practical as no one logs in with \
> their 'full name')
> No problem, we are getting somewhere, I had read that we can also perform a lookup \
> on the user object rather than the group object (filter = '(objectclass=user)') as \
> this way I can match the account name using the sAMAccountName and then perform a \
> match on memberOf object using the full "CN=<group>
> Checking with ldapsearch, I worked out that the search \
> (&(objectclass=user)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))
> Returns the user object, but when I try to implement this in the ldap module it \
> seems to want to turn the search into..
> Debug: (0) Searching for user in group "ACCESS_2FA"
> ...
> Debug: (0) EXPAND \
> (&(cn=ACCESS_2FA)(objectclass=user)(|(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})))
>
> Debug: (0) --> \
> (&(cn=ACCESS_2FA)(objectclass=user)(|(sAMAccountName=user001)))
> And the check fails again.
What user identifier should be used for the ldap search?
> My ldap module is as follows
>
> ldap {
> server = '10.0.0.50'
> basedn = "dc=example,dc=com"
> identity = 'CN=Steve Phillips,OU=Users,DC=example,DC=com'
> password = MyPassword
That should be a "read-only" LDAP admin account. It should generally NOT be the \
account of a particular user.
> Am I missing a directive to say 'please lookup the user objectClass not the group \
> objectClass' to get it to lookup the group in the user object rather than the user \
> in the group object? - I couldn't see anything in the rlm_ldap comments.
The LDAP schema should be normal. Why does it have to look up something in a \
different place?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic