Re: Groups in active directory and checks in MySQL
Hello, sorry for the top quoting but i'm using a webmail for replying nbsp;which is really crap. nbsp; accordingly i'm posting here the debug log of a radtest. the authentication gets rejected because the group matches in the raddb/users with the following expression: nbsp; DEFAULT Ldap-Group == fax, Auth-Type := Reject nbsp; i've tried commenting it out and adding this to mysql in the table radgroupcheck: nbsp; table: radgroupcheck Groupname: fax Attribute: Auth-Type op: := Value: Reject nbsp; but it's not giving the same result, the check against sql is ignored and the user is authed successfully. nbsp; here is the debug log: nbsp; rad_recv: Access-Request packet from host 127.0.0.1 port 45195, id=232, length=57 User-Name = sogo1 User-Password = userpassword NAS-IP-Address = 192.168.4.82 NAS-Port = 80 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -gt; /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130826 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130826 [auth_log] expand: %t -gt; Mon Aug 26 07:56:19 2013 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = sogo1, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop nbsp; [ldap] Entering ldap_groupcmp() [files] expand: dc=plutone,dc=local -gt; dc=plutone,dc=local [files] WARNING: Deprecated conditional expansion :-. nbsp;See man unlang for details [files] ... expanding second conditional [files] expand: %{User-Name} -gt; sogo1 [files] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -gt; (sAMAccountName=sogo1) nbsp; [ldap] ldap_get_conn: Checking Id: 0 nbsp; [ldap] ldap_get_conn: Got Id: 0 nbsp; [ldap] performing search in dc=plutone,dc=local, with filter (sAMAccountName=sogo1) nbsp; [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(amp;(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(amp;(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -gt; (|(amp;(objectClass=GroupOfNames)(member=))(amp;(objectClass=GroupOfUniqueNames)(uniquemember=))) nbsp; [ldap] ldap_get_conn: Checking Id: 0 nbsp; [ldap] ldap_get_conn: Got Id: 0 nbsp; [ldap] performing search in dc=plutone,dc=local, with filter (amp;(cn=fax)(|(amp;(objectClass=GroupOfNames)(member=))(amp;(objectClass=GroupOfUniqueNames)(uniquemember= nbsp; [ldap] object not found nbsp; [ldap] ldap_release_conn: Release Id: 0 nbsp; [ldap] ldap_get_conn: Checking Id: 0 nbsp; [ldap] ldap_get_conn: Got Id: 0 nbsp; [ldap] performing search in CN=sogo1,CN=Users,DC=plutone,DC=local, with filter (objectclass=*) nbsp; [ldap] performing search in CN=Fax,CN=Users,DC=plutone,DC=local, with filter (cn=fax) rlm_ldap::ldap_groupcmp: User found in group fax nbsp; [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 205 ++[files] returns ok [ldap] performing user authorization for sogo1 [ldap] WARNING: Deprecated conditional expansion :-. nbsp;See man unlang for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -gt; sogo1 [ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -gt; (sAMAccountName=sogo1) [ldap] expand: dc=plutone,dc=local -gt; dc=plutone,dc=local nbsp; [ldap] ldap_get_conn: Checking Id: 0 nbsp; [ldap] ldap_get_conn: Got Id: 0 nbsp; [ldap] performing search in dc=plutone,dc=local, with filter (sAMAccountName=sogo1) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. nbsp;Are you sure that the user is configured correctly? [ldap] user sogo1 authorized to use remote access nbsp; [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [sql] expand: %{User-Name} -gt; sogo1 [sql] sql_set_user escaped user --gt; 'sogo1' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op nbsp; nbsp; nbsp; nbsp; nbsp; FROM radcheck nbsp; nbsp; nbsp; nbsp; nbsp; WHERE username = '%{SQL-User-Name}' nbsp; nbsp; nbsp; nbsp; nbsp; ORDER BY id -gt; SELECT id, username, attribute, value, op nbsp; nbsp; nbsp; nbsp; nbsp; FROM radcheck nbsp; nbsp; nbsp; nbsp; nbsp; WHERE username = 'sogo1' nbsp; nbsp; nbsp; nbsp; nbsp; ORDER BY id [sql] expand: SELECT groupname nbsp; nbsp; nbsp; nbsp; nbsp; FROM radusergroup nbsp; nbsp; nbsp; nbsp; nbsp; WHERE username = '%{SQL-User-Name}' nbsp; nbsp; nbsp; nbsp; nbsp; ORDER BY priority -gt; SELECT groupname nbsp; nbsp; nbsp; nbsp; nbsp;
Re: Groups in active directory and checks in MySQL
On 08/26/2013 09:04 AM, Atomikramp wrote: but it's not giving the same result, the check against sql is ignored and the user is authed successfully. Because: [sql] User sogo1 not found ++[sql] returns notfound - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Groups in active directory and checks in MySQL
So, basically if i didn't understand incorrectly, the user must also exist in the sql database for it to be checked against the radgroupcheck table and for attributes in the radreply table to be sent back to the NAS. nbsp; an hybrid configuration cannot be done? as my schema, being an active directory, is pretty strict and i cant modify it without the risk of screwing it up, and even if i could mess with the schema, groupcheck when LDAP is nbsp;involved, in all examples i've seen, has always been done using file backend (raddb/users). nbsp; it would be really useful for me to be able to populate the groupcheck and radgroupreply tables with the parameters i need, and keep the user authentication in LDAP. nbsp; - Original Message Da: FreeRadius users mailing list lt;freeradius-users@lists.freeradius.orggt; To: freeradius-users@lists.freeradius.org lt;freeradius-users@lists.freeradius.orggt; Oggetto: Re: Groups in active directory and checks in MySQL Data: 26/08/13 13:22 On 08/26/2013 09:04 AM, Atomikramp wrote: gt; but it's not giving the same result, the check against sql is ignored gt; and the user is authed successfully. Because: gt; [sql] User sogo1 not found gt; ++[sql] returns notfound -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: SUPERMARIO: Acquista Peluche e T-shirt Originali su mistercupido.com Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12899d=20130826 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: BARBAPAPA': Acquista i Peluche Originali su mistercupido.com Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12898d=26-8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Groups in active directory and checks in MySQL
Hello everyone, i know this might be considered a bizarre situation but well... i was just wondering if it's possible to do such a thing. nbsp; I'm in a situation now where i can successfully retrieve group membership of users in the active directory LDAP tree using rlm_ldap, and check them against files. nbsp; so if i have a user with memberOf attribute set to groupA and i set in the raddb/users the following entry: nbsp; DEFAULTLdap-Group == groupA, Auth-Type := Reject Reply-Message = Not Allowed. nbsp; i successfully deny access to that user. nbsp; Since i'm already using MySQL for storing accounting informations i was really interested in being able to use the same backend (mysql) also for performing checks against groups. nbsp; If i perform checks against usernames using the table radcheck they work properly (users retrieved from the LDAP backend), i've tried setting a radcheck like the following: userA Max-Daily-Session := 7200 nbsp; and after 2 hours the user is unable to authenticate to the NAS because the time allowed has expired. nbsp; nbsp; But i cant seem to be able to do the same thing with the groups. nbsp; i've configured sites-enabled/default like this: nbsp; authorize { preprocess auth_log chap mschap digest suffix eap { ok = return } files ldap sql expiration logintime pap dailycounter } nbsp; authenticate { Auth-Type PAP { pap } nbsp; Auth-Type CHAP { chap } nbsp; Auth-Type MS-CHAP { mschap } nbsp; digest unix nbsp; Auth-Type LDAP { ldap } nbsp; eap } nbsp; preacct { preprocess acct_unique suffix files } nbsp; accounting { detail sql } nbsp; session { radutmp } nbsp; nbsp; post-auth { ldap exec Post-Auth-Type REJECT { # log failed authentications in SQL, too. attr_filter.access_reject } } nbsp; pre-proxy { } nbsp; post-proxy { eap } nbsp; radiusd.conf like this prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct nbsp; name = freeradius nbsp; confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} nbsp; db_dir = ${raddbdir} nbsp; libdir = /usr/lib/freeradius nbsp; pidfile = ${run_dir}/${name}.pid nbsp; user = freerad group = freerad nbsp; max_request_time = 30 nbsp; cleanup_delay = 5 nbsp; max_requests = 1024 nbsp; listen { type = auth ipaddr = * port = 0 } nbsp; listen { ipaddr = * port = 0 type = acct } nbsp; hostname_lookups = no nbsp; allow_core_dumps = no nbsp; regular_expressions= yes extended_expressions= yes nbsp; log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } nbsp; checkrad = ${sbindir}/checkrad nbsp; security { max_attributes = 200 reject_delay = 1 status_server = yes } nbsp; proxy_requests nbsp;= yes $INCLUDE proxy.conf nbsp; $INCLUDE clients.conf nbsp; thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } nbsp; modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE sql.conf $INCLUDE sql/mysql/counter.conf } nbsp; instantiate { exec expr expiration logintime } nbsp; and sql.conf nbsp; sql { nbsp; nbsp; nbsp; nbsp; database = mysql nbsp; nbsp; nbsp; nbsp; driver = rlm_sql_${database} nbsp; nbsp; nbsp; nbsp; server = localhost nbsp; nbsp; nbsp; nbsp; #port = 3306 nbsp; nbsp; nbsp; nbsp; login = radius nbsp; nbsp; nbsp; nbsp; password = lt;removedgt; nbsp; nbsp; nbsp; nbsp; radius_db = radius nbsp; nbsp; nbsp; nbsp; acct_table1 = radacct nbsp; nbsp; nbsp; nbsp; acct_table2 = radacct nbsp; nbsp; nbsp; nbsp; postauth_table = radpostauth nbsp; nbsp; nbsp; nbsp; authcheck_table = radcheck nbsp; nbsp; nbsp; nbsp; authreply_table = radreply nbsp; nbsp; nbsp; nbsp; groupcheck_table = radgroupcheck nbsp; nbsp; nbsp; nbsp; groupreply_table = radgroupreply nbsp; nbsp; nbsp; nbsp; usergroup_table = radusergroup nbsp; nbsp; nbsp; nbsp; deletestalesessions = yes nbsp; nbsp; nbsp; nbsp; sqltrace = no nbsp; nbsp; nbsp; nbsp; sqltracefile = ${logdir}/sqltrace.sql nbsp; nbsp; nbsp; nbsp; num_sql_socks = 5 nbsp; nbsp; nbsp; nbsp; connect_failure_retry_delay = 60 nbsp; nbsp; nbsp; nbsp; lifetime = 0 nbsp; nbsp; nbsp; nbsp; max_queries = 0 nbsp; nbsp; nbsp; nbsp; nas_table = nas nbsp; nbsp; nbsp; nbsp; $INCLUDE sql/${database}/dialup.conf nbsp; nbsp; nbsp; nbsp; $INCLUDE sql/${database}/counter.conf } nbsp; any help is really welcome. thanks and sorry if i couldn't explain myself properly please correct me. nbsp; -- Caselle da 1GB,
Re: Groups in active directory and checks in MySQL
Atomikramp wrote: I'm in a situation now where i can successfully retrieve group membership of users in the active directory LDAP tree using rlm_ldap, and check them against files. OK. so if i have a user with memberOf attribute set to groupA and i set in the raddb/users the following entry: DEFAULTLdap-Group == groupA, Auth-Type := Reject Reply-Message = Not Allowed. i successfully deny access to that user. That should map directly to the SQL tables. Since i'm already using MySQL for storing accounting informations i was really interested in being able to use the same backend (mysql) also for performing checks against groups. If i perform checks against usernames using the table radcheck they work properly (users retrieved from the LDAP backend), i've tried setting a radcheck like the following: userA Max-Daily-Session := 7200 and after 2 hours the user is unable to authenticate to the NAS because the time allowed has expired. But i cant seem to be able to do the same thing with the groups. Post the debug output. And what do you have in SQL? i've configured sites-enabled/default like this: Note that the FAQ, README, man pages, and web pages ALL say to post the debug output. We really don't care about the configuration. It doesn't show what happens when the server receives a request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Groups in active directory and checks in MySQL
Il 23/08/2013 21:31, Alan DeKok ha scritto: Post the debug output. And what do you have in SQL? Hello, thanks for your reply and apologizes for the mistake, unfortunately (depending from the point of view) since it's weekend i won't be able to post any debug log till monday as i didn't bring the server home for the weekend nor i have a VPN to the work site :) 'till then, again, thank you very much for the reply and support. Sincerely Francesco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html