Hello,
the problem <AuthBy LDAP2> => AD => Group Nesting will be over and over again
addressed in this forum but not sufficiently resolved.
We have evermore requirements in our projects to authenticate users in nested
LDAP group environments.
I found a perl script from Shawn Poulson,
http://www.explodingcoder.com/cms/content/how-query-active-directory-security-group-membership
and adjusted it to my relevance. Script is tested directly, very usable.
Shawn Poulson wrote: "A common task a developer may encounter is the need to
find out what security group a user is a member of. This is critical
information for an app to utilize a role-based authorization mechanism in web
apps, client/server apps, login scripts, etc. When querying LDAP, this is as
easy as enumerating the 'memberOf' attribute of the user account, right?
Not quite. The memberOf attribute lists distinguished names of all groups the
user is an immediate member of. Additionally, memberOf will list both
distribution and security groups as well as disabled groups, so it's important
to check for these conditions. Most importantly, this does not include nested
group membership. For example, say the user is a member of "IT Operations", and
that group is a member of "IT Department". If we grant authorization to "IT
Department", wouldn't we expect the user to inherit that right?
Ok, so we scan for the groups' parents recursively, right? Sure, but there's a
much better way.
User accounts have a 'tokenGroups' attribute that contains the SIDs of all
member enabled security groups AND their parents. Knowing the SID of a group,
it is very fast to look it up from this attribute to check membership, taking
only one query for the tokenGroups and another for each group SID lookup."
My problem is to convert this script to a PostSearchHook.
1. How can I avoid the second LDAP Login/Connection? <AuthBy LDAP2> is allready
logged in and connected, how can I get to Net::LDAP level?
$_[4] is Net::LDAP::Entry and caused a error:
Thu May 26 17:18:28 2011: ERR: Error in PostSearchHook(): Can't locate object
method "root_dse" via package "Net::LDAP::Entry" at (eval 36) line 43.
2. How can I deliver the LDAP group name ($grp2chk in my script) from outside
of hook? Can I use arguments in the hook directive? Something like this:
PostSearchHook() ("ASA_FULL", "ARGUMENT02");
The script:
#!/bin/perl
use Net::LDAP;
my ($ldap_server, $ldap_username, $ldap_password) = ('10.11.11.112',
'radiator', 'Makaka77');
print "Connecting to LDAP..."; # Login to LDAP
my $ldap = Net::LDAP->new($ldap_server, async => 0) or die $@;
print "Binding... ";
$_ = $ldap->bind($ldap_username, password => $ldap_password) or die $@;
print $_->error_text();
#Variablen###############################
$usr2chk = 'aduser05';
$grp2chk = 'ASA_FULL';
#$grp2chk = 'ASA_ANLS';
$grp2chk = 'ADMINS';
#Variablen###############################
my $userDN = GetDNByID($ldap, $usr2chk);
print "User DN: $userDN\n";
# Quick check if user is a member of a group
$check_OK = IsMemberOf($ldap, $userDN, GetDNByID($ldap, $grp2chk));
if (IsMemberOf($ldap, $userDN, GetDNByID($ldap, $grp2chk))) {
print "User is a member of $grp2chk: $check_OK\n";
AddToReply tacacsgroup = XXX
}
else {
print "User is not a member of $grp2chk: $check_OK\n";
}
$ldap->unbind;
exit;
###Sub's###############################
# Is DN a member of security group? Usage: <bool> = IsMemberOf(<DN of object>,
<DN of group>)
sub IsMemberOf($$$) {
my ($ldap, $objectDN, $groupDN) = @_;
return if ($groupDN eq "");
my $groupSid = GetSidByDN($ldap, $groupDN);
return if ($groupSid eq "");
my @matches = grep { $_ eq $groupSid } GetTokenGroups($ldap, $objectDN);
@matches > 0;
}
# Get object's SID by DN , Usage: <SID> = GetSidByDN(<LDAP ref>, <DN>)
sub GetSidByDN($$) {
my ($ldap, $objectDN) = @_;
my $results = $ldap->search( base => $objectDN, scope => 'base',
filter => '(objectCategory=*)',attrs => ['objectSid'] );
if ($results->count) {
return $results->entry(0)->get_value('objectSid');
}
}
# Gets tokenGroups attribute from the provided DN, Usage: <Array of tokens> =
GetTokenGroups(<LDAP ref>, <DN of object>)
sub GetTokenGroups($$) {
my ($ldap, $objectDN) = @_;
my $results = $ldap->search( base => $objectDN, scope => 'base', filter =>
'(objectCategory=*)',
attrs => ['tokenGroups'] );
if ($results->count) {
return $results->entry(0)->get_value('tokenGroups');
}
}
# Get DN by sAMAccountName, # Usage: <DN> = GetDNByID(<LDAP ref>, <ID>)
sub GetDNByID($$) {
my ($ldap, $ID) = @_;
my $results = $ldap->search( base => GetRootDN($ldap), filter =>
"(sAMAccountName=$ID)",
attrs => ['distinguishedName'] );
if ($results->count) {
return $results->entry(0)->get_value('distinguishedName');
}
}
# Get Root DN of logged in domain (e.g. DC=yourdomain,DC=com), Usage: <DN> =
GetRootDN(<LDAP ref>)
sub GetRootDN($) {
my ($ldap) = @_;
($ldap->root_dse->get_value('namingContexts'))[0];
}
Kind regards
Waldemar Siebert
T-Systems International GmbH
Corporate Customers
Telecommunications Services & Solutions (TSS)
Technical Engineering (TSS TE) - Security & Production Engineering
Dipl.-Ing. Waldemar Siebert
Address: Nauheimer Str. 101, D-70372 Stuttgart
Phone: +49 (711) 555 - 43989
Fax: +49 (6151) 937 - 3129
Mobile: +49 (151) 174 66 111
E-mail: [email protected]
Internet: http:\\www.t-systems.com
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
