On 05/26/2011 09:38 PM, [email protected] wrote: Hello Waldemar,
> the problem <AuthBy LDAP2> => AD => Group Nesting will be over and over > again addressed in this forum but not sufficiently resolved. > We have evermore requirements in our projects to authenticate users in > nested LDAP group environments. > I found a perl script from Shawn Poulson, > _http://www.explodingcoder.com/cms/content/how-query-active-directory-security-group-membership_ > > and adjusted it to my relevance. Script is tested directly, very usable. > My problem is to convert this script to a PostSearchHook. You can convert the script to a Perl module. This lets you keep the script structured as it is now. Creating a module is easy. package ExampleModule; # You may want to enable these use strict; use warnings; # Variables my $myvar; # Functions sub myfunc { # Function body } 1; Note that the last thing in the module file should be "1;" as shown above. Please see below about how to load the module and call its functions from various Hooks. > 1. How can I avoid the second LDAP Login/Connection? <AuthBy LDAP2> is > allready logged in and connected, how can I get to Net::LDAP level? Define an Identifier for your <AuthBy LDAP2> and use Radiator APIs to locate the connection: my $ldap = Radius::AuthGeneric::find('myidentifier'); unless ($ldap) { # error handling > $_[4] is Net::LDAP::Entry and caused a error: > > Thu May 26 17:18:28 2011: ERR: Error in PostSearchHook(): Can't locate > object method "root_dse" via package "Net::LDAP::Entry" at (eval 36) > line 43. I tried running the script (needed to remove this line fist: AddToReply tacacsgroup = XXX) and it was successful for me. You should check what version of LDAP module you are using. It may be very old or incomplete: http://cpansearch.perl.org/src/GBARR/perl-ldap-0.4001/Changes perl-ldap 0.28 19 May 2003 ========================== * New class Net::LDAP::RootDSE On my OpenSUSE system I have /usr/lib/perl5/vendor_perl/5.12.1/Net/LDAP/RootDSE.pm and this is what is required for root_dse to work. > 2. How can I deliver the LDAP group name ($grp2chk in my script) from > outside of hook? Can I use arguments in the hook directive? Something > like this: > > PostSearchHook() ("ASA_FULL", "ARGUMENT02"); If you decide to go with making a Perl module, as I described above, you can do the following: StartupHook sub { require "/etc/radiator/ExampleModule.pm"; } <AuthBy LDAP2> # ... PostSearchHook sub { ExampleModule::myfunc(@_, 'ASA_FULL'); } </AuthBy> this adds 'ASA_FULL' to PostSearchHook arguments, or PostSearchHook sub { ExampleModule::myfunc(@_, \ &Radius::Util::format_special('%{User-Name}', $_[2]); } this example takes User-Name from the current request. > The script: > > #!/bin/perl > use Net::LDAP; > my ($ldap_server, $ldap_username, $ldap_password) = ('10.11.11.112', > 'radiator', 'Makaka77'); > print "Connecting to LDAP..."; # Login to LDAP > my $ldap = Net::LDAP->new($ldap_server, async => 0) or die $@; > print "Binding... "; > $_ = $ldap->bind($ldap_username, password => $ldap_password) or die $@; > print $_->error_text(); > #Variablen############################### > $usr2chk = 'aduser05'; > $grp2chk = 'ASA_FULL'; > #$grp2chk = 'ASA_ANLS'; > $grp2chk = 'ADMINS'; > #Variablen############################### > my $userDN = GetDNByID($ldap, $usr2chk); > print "User DN: $userDN\n"; > # Quick check if user is a member of a group > $check_OK = IsMemberOf($ldap, $userDN, GetDNByID($ldap, $grp2chk)); > if (IsMemberOf($ldap, $userDN, GetDNByID($ldap, $grp2chk))) { > print "User is a member of $grp2chk: $check_OK\n"; > > AddToReply tacacsgroup = XXX > > } > else { > print "User is not a member of $grp2chk: $check_OK\n"; > } > $ldap->unbind; > exit; > > ###Sub's############################### > # Is DN a member of security group? Usage: <bool> = IsMemberOf(<DN of > object>, <DN of group>) > sub IsMemberOf($$$) { > my ($ldap, $objectDN, $groupDN) = @_; > return if ($groupDN eq ""); > my $groupSid = GetSidByDN($ldap, $groupDN); > return if ($groupSid eq ""); > my @matches = grep { $_ eq $groupSid } GetTokenGroups($ldap, $objectDN); > @matches > 0; > } > # Get object's SID by DN , Usage: <SID> = GetSidByDN(<LDAP ref>, <DN>) > sub GetSidByDN($$) { > my ($ldap, $objectDN) = @_; > my $results = $ldap->search( base => $objectDN, scope => 'base', > filter => '(objectCategory=*)',attrs => ['objectSid'] ); > if ($results->count) { > return $results->entry(0)->get_value('objectSid'); > } > } > # Gets tokenGroups attribute from the provided DN, Usage: <Array of > tokens> = GetTokenGroups(<LDAP ref>, <DN of object>) > sub GetTokenGroups($$) { > my ($ldap, $objectDN) = @_; > my $results = $ldap->search( base => $objectDN, scope => 'base', > filter => '(objectCategory=*)', > attrs => ['tokenGroups'] ); > if ($results->count) { > return $results->entry(0)->get_value('tokenGroups'); > } > } > # Get DN by sAMAccountName, # Usage: <DN> = GetDNByID(<LDAP ref>, <ID>) > sub GetDNByID($$) { > my ($ldap, $ID) = @_; > my $results = $ldap->search( base => GetRootDN($ldap), filter => > "(sAMAccountName=$ID)", > attrs => ['distinguishedName'] ); > if ($results->count) { > return $results->entry(0)->get_value('distinguishedName'); > } > } > # Get Root DN of logged in domain (e.g. DC=yourdomain,DC=com), Usage: > <DN> = GetRootDN(<LDAP ref>) > sub GetRootDN($) { > my ($ldap) = @_; > ($ldap->root_dse->get_value('namingContexts'))[0]; > } > > Kind regards > *Waldemar Siebert > > *T-Systems International GmbH > Corporate Customers > Telecommunications Services & Solutions (TSS) > Technical Engineering (TSS TE) - Security & Production Engineering > Dipl.-Ing. Waldemar Siebert > Address: Nauheimer Str. 101, D-70372 Stuttgart > Phone: +49 (711) 555 - 43989 > Fax: +49 (6151) 937 - 3129 > Mobile: +49 (151) 174 66 111 > E-mail: [email protected] > Internet: http:\\www.t-systems.com > > > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
