Re: [RADIATOR] Radiator / LDAP / matching on multi-valued field

[Dave Kitabjian]

Okay, so thanks again for this.

First question: our AuthBy LDAP2 already has a PostSearchHook specified:

        PostSearchHook sub { my @hash = $_[4]->get('hash'); \
                my @username = $_[4]->get('sAMAccountName'); \
                
system('/opt/radiator/radiator/goodies/inserttotp.sh',@username,@hash); \
                return 1 ;}

It appears that if I define two, the latter one overrides. What's the right way 
to configure two hooks in the same context? Is the only way to merge them into 
a single perl script?

And the follow up question is (and forgive me that all of this plumbing isn't 
entirely clear to me): should the hook code from ldap-memberof-hook.pl come 
before inserttotp.sh since we don't want to bother to update the totp table if 
they're not even granted NAS access? Or the other way around, so we can track 
the "bad logins"??

Thanks in advance!

Dave

-----Original Message-----
From: radiator <radiator-boun...@lists.open.com.au> On Behalf Of Heikki 
Vatiainen
Sent: Monday, February 14, 2022 8:55 AM
To: radiator@lists.open.com.au
Subject: Re: [RADIATOR] Radiator / LDAP / matching on multi-valued field

On 12.2.2022 0.39, Dave Kitabjian wrote:

> So, the second part of my problem is that obviously "DC=com CN=Admin
> Access" won't match the NAS-IP-Address. What I really need is logic like:
>
> IF AD.memberOf(user) matches "DC=com CN=Admin Access" AND NAS-IP-Address
> = A.B.C.D
> THEN PASS
> ELSE IF AD.memberOf(user) matches "DC=com CN=Regular Access" AND
> NAS-IP-Address = W.X.Y.Z
> THEN PASS
> ELSE FAIL

One option is to use code to implement the authorisation logic. First,
configure AuthBy LDAP2 to fetch 'memberOf' attributes. There's no need
to store them in request or response, so the configuration is simply this:

     AuthAttrDef memberOf
     PostSearchHook file:"%D/ldap-memberof-hook.pl"

The hook that processes the LDAP groups is below. Implementing flexbile
authorisation with configuration options might be possible, for example
how Martin shows in his email, and a hook can then cover the rest of the
cases.

Here's ldap-memberof-hook.pl. I'll see that a copy gets added to goodies
too. The logic is meant for tailoring for local needs.


use strict;
use warnings;
use List::Util;

sub {
     my $p = $_[2];     # The request
     my $user = $_[3];  # The user trying to authenticate
     my $entry = $_[4]; # Returned LDAP entry
     my $rp = $_[5];    # The reply

     # Process Access-Request messages only
     return unless $p->code() eq 'Access-Request';

     # Do nothing if the search did not return any results.
     return unless $entry;

     # groupMembership or memberOf is typically a multivalued LDAP
attribute for group memberships
     my $attr = 'memberOf';
     my $dn = $entry->dn();
     main::log($main::LOG_DEBUG, "PostSearchHook: processing '$attr'
values for '$dn'", $p);

     # Convert all DNs to canonical format and then fully lowercase them
     my $admin_dn   = lc(Net::LDAP::Util::canonical_dn('CN=Demo Admin
Access,OU=Groups,DC=dev,DC=radiatorsoftware,DC=com'));
     my $regular_dn = lc(Net::LDAP::Util::canonical_dn('cn=DEMO Regular
Access,ou=Groups,dc=dev,dc=radiatorsoftware,dc=com'));
     my @ldapgroups = map { lc(Net::LDAP::Util::canonical_dn($_)) }
$entry->get_value($attr);

     my $nas_ip = $p->get_attr('NAS-IP-Address');

     # We can now run authorisation logic based on LDAP groups, request
     # attributes and other available information.
     #
     # Sample: The first NAS allows only admins, the second only
     # regular users. Otherwise trigger failure.
     if ($nas_ip eq '10.20.30.44' &&
         (List::Util::first { $admin_dn eq $_ } @ldapgroups))
     {
         main::log($main::LOG_DEBUG, "PostSearchHook: matched LDAP group
'$admin_dn'", $p);
         $user->get_reply->add_attr('Reply-Message', 'You are admin');
     }
     elsif ($nas_ip eq '10.20.50.66' &&
            (List::Util::first { $regular_dn eq $_ } @ldapgroups))
     {
         main::log($main::LOG_DEBUG, "PostSearchHook: matched LDAP group
'$regular_dn'", $p);
         $user->get_reply->add_attr('Reply-Message', 'You are regular');
     }
     else
     {
         # Could also use add_attr to assing a default
         # authorization level.
         $user->get_check->add_attr('Auth-Type', "Reject:No
authorisation group found in LDAP for '$dn'");
     }

     return;
}




--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&amp;data=04%7C01%7Cdave%40corp.netcarrier.com%7C976ca639b50a454aa24208d9efc1c156%7C0cb89eef04a7465c893f447a3df63d9b%7C0%7C0%7C637804437729086517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=xPNQlGkDavt837eoZCwe4qfKdNaFdFTXc%2BAYvYKD%2BKQ%3D&amp;reserved=0
CONFIDENTIALITY NOTICE***The information contained in this message may be 
privileged, confidential, and protected from disclosure. If the reader of this 
message is not the intended recipient, or any employee or agent responsible for 
delivering this message to the intended recipient, you are hereby notified that 
any dissemination, distribution, or copying of this communication is strictly 
prohibited. If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer. 
Thank you.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator