Hi,
We are attempting to enforce LDAP signing or TLS encryption and have started by
auditing insecure LDAP binds in AD. An example how-to detailing steps to do:
https://azurecloudai.blog/2019/08/03/step-by-step-enforce-require-ldap-signing-on-domain-controllers-part-1/
We are using an 'Active Directory Domain' together with AD authentication
sources. Herewith sample events relating to LDAP binds from Packet Fence:
4624, dc01.realm.com, 07/31/2021 23:59:45, S-1-5-18 DC01$ DOMAIN 0x3e7
S-1-5-21-1004336348-1177238915-682003330-11463 auth-packetfence DOMAIN
0xf86c0dd 3 Advapi MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 DC01
{00000000-0000-0000-0000-000000000000} - - 0 0x26c
C:\Windows\System32\lsass.exe 192.168.1.5 44240 %%1833 - - - %%1843 0x0
%%1842,(System.Diagnostics.EventLogEntry.message)
4624, dc01.realm.com, 07/31/2021 23:59:15, S-1-5-18 DC01$ DOMAIN 0x3e7
S-1-5-21-1004336348-1177238915-682003330-11463 auth-packetfence DOMAIN
0xf86bc35 3 Advapi MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 DC01
{00000000-0000-0000-0000-000000000000} - - 0 0x26c
C:\Windows\System32\lsass.exe 192.168.1.5 44110 %%1833 - - - %%1843 0x0
%%1842,(System.Diagnostics.EventLogEntry.message)
4624, dc01.realm.com, 07/31/2021 23:58:45, S-1-5-18 DC01$ DOMAIN 0x3e7
S-1-5-21-1004336348-1177238915-682003330-11463 auth-packetfence DOMAIN
0xf867d3e 3 Advapi MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 DC01
{00000000-0000-0000-0000-000000000000} - - 0 0x26c
C:\Windows\System32\lsass.exe 192.168.1.5 43930 %%1833 - - - %%1843 0x0
%%1842,(System.Diagnostics.EventLogEntry.message)
4624, dc01.realm.com, 07/31/2021 23:58:15, S-1-5-18 DC01$ DOMAIN 0x3e7
S-1-5-21-1004336348-1177238915-682003330-11463 auth-packetfence DOMAIN
0xf863c2a 3 Advapi MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 DC01
{00000000-0000-0000-0000-000000000000} - - 0 0x26c
C:\Windows\System32\lsass.exe 192.168.1.5 43804 %%1833 - - - %%1843 0x0
%%1842,(System.Diagnostics.EventLogEntry.message)
I have however defined the LDAP host in the GUI as:
Host: realm.com
Port: 636
Type: SSL
Are there possibly checks or other interactions that bind to LDAP without TLS?
Perhaps this has already been discussed previously, to prepare PacketFence's AD
integration to either use LDAP signing or encapsulate all simple binds in TLS?
PS: Our AD servers use certificates issued by an AD CS, herewith the steps we
took to add the public CA root certificate chain:
f='companyad';
mkdir -p /usr/share/ca-certificates/$f;
scp linux-test.realm.com:/etc/pki/tls/syrex-AD-ca.pem
/usr/share/ca-certificates/$f/$f.crt;
#curl http://www.cacert.org/certs/root.crt >
/usr/share/ca-certificates/$f/$f.crt;
#curl http://www.cacert.org/certs/class3.crt >>
/usr/share/ca-certificates/$f/$f.crt;
echo "$f/$f.crt" >> /etc/ca-certificates.conf;
update-ca-certificates;
/usr/local/pf/conf/domain.conf
[companyad]
workgroup=DOMAIN
ntlm_cache_on_connection=disabled
dns_servers=192.168.1.5
ad_server=dc01.realm.com
registration=0
ntlm_cache_filter=(&(samAccountName=*)(!(|(lockoutTime=>0)(userAccountControl:1.2.840.113556.1.4.803:=2))))
dns_name=realm.com
sticky_dc=*
ou=Company/Users/LDAP Integration
ntlm_cache_batch_one_at_a_time=disabled
server_name=%h
ntlm_cache_batch=disabled
ntlm_cache_expiry=3600
ntlmv2_only=1
status=enabled
/usr/local/pf/conf/realm.conf
# Copyright (C) Inverse inc.
[1 DEFAULT]
radius_auth_proxy_type=keyed-balance
domain=companyad
radius_acct_proxy_type=load-balance
radius_auth=
radius_auth_compute_in_pf=enabled
permit_custom_attributes=disabled
radius_acct=
[1 NULL]
radius_auth_proxy_type=keyed-balance
radius_auth=
permit_custom_attributes=disabled
radius_auth_compute_in_pf=enabled
domain=companyad
radius_acct_proxy_type=load-balance
radius_acct=
eduroam_radius_auth_proxy_type=keyed-balance
eduroam_radius_acct=
eduroam_radius_auth=
eduroam_radius_acct_proxy_type=load-balance
eduroam_radius_auth_compute_in_pf=enabled
[1 DOMAIN]
portal_strip_username=enabled
radius_strip_username=enabled
radius_acct=
radius_auth_compute_in_pf=enabled
radius_auth=
admin_strip_username=enabled
radius_acct_proxy_type=load-balance
permit_custom_attributes=disabled
domain=companyad
radius_auth_proxy_type=keyed-balance
eap=default
[1 realm.com]
admin_strip_username=disabled
radius_acct=
permit_custom_attributes=disabled
radius_acct_proxy_type=load-balance
radius_auth_compute_in_pf=enabled
radius_strip_username=disabled
portal_strip_username=enabled
radius_auth=
domain=companyad
radius_auth_proxy_type=keyed-balance
eap=default
/usr/local/pf/conf/authentication.conf
[companyad_users]
password=****************
write_timeout=5
description=Company AD - Users
scope=sub
realms=null,DOMAIN,realm.com
type=AD
connection_timeout=1
binddn=auth-packetfe...@realm.com
read_timeout=10
cache_match=0
host=realm.com
port=636
monitor=1
shuffle=0
searchattributes=
email_attribute=mail
encryption=ssl
basedn=OU=Users,OU=Company,DC=realm,DC=com
usernameattribute=sAMAccountName
dynamic_routing_module=AuthModule
dead_duration=60
set_access_durations_action=
[companyad_users rule pf_admin]
status=enabled
condition0=memberOf,equals,CN=packetfence-admin,OU=3rd Party,OU=Security
Groups,OU=Company,DC=realm,DC=com
description=Member of packetfence-admin AD security group
class=administration
action0=set_access_level=ALL
match=all
[companyad_users rule pf_reviewer]
condition0=memberOf,equals,CN=packetfence-reviewer,OU=3rd Party,OU=Security
Groups,OU=Company,DC=realm,DC=com
status=enabled
description=Member of packetfence_reviewer AD security group
action0=set_access_level=Reviewer
class=administration
match=all
[companyad_users rule staff]
match=all
status=enabled
action0=set_role=staff
action1=set_access_duration=1M
class=authentication
condition0=memberOf,equals,CN=company,OU=Company,OU=Security
Groups,OU=Company,DC=realm,DC=com
description=Member of company AD security group
[companyad_computers]
write_timeout=5
basedn=OU=Computers,OU=Company,DC=realm,DC=com
description=Company AD - Computers
scope=sub
port=636
host=realm.com
type=AD
realms=realm.com
usernameattribute=servicePrincipalName
shuffle=0
read_timeout=10
password=****************
searchattributes=
monitor=0
connection_timeout=1
encryption=ssl
email_attribute=mail
binddn=auth-packetfe...@realm.com
cache_match=0
dynamic_routing_module=AuthModule
dead_duration=60
set_access_durations_action=
Regards
David Herselman
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
