Re: Groups in active directory and checks in MySQL
Hello,
sorry for the top quoting but i'm using a webmail for replying
nbsp;which is really crap.
nbsp;
accordingly i'm posting here the debug log of a radtest.
the authentication gets rejected because the group matches in the
raddb/users with the following expression:
nbsp;
DEFAULT Ldap-Group == fax, Auth-Type := Reject
nbsp;
i've tried commenting it out and adding this to mysql in the table
radgroupcheck:
nbsp;
table: radgroupcheck
Groupname: fax
Attribute: Auth-Type
op: :=
Value: Reject
nbsp;
but it's not giving the same result, the check against sql is ignored and
the user is authed successfully.
nbsp;
here is the debug log:
nbsp;
rad_recv: Access-Request packet from host 127.0.0.1 port 45195, id=232,
length=57
User-Name = sogo1
User-Password = userpassword
NAS-IP-Address = 192.168.4.82
NAS-Port = 80
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -gt;
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20130826
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20130826
[auth_log] expand: %t -gt; Mon Aug 26 07:56:19 2013
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = sogo1, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
nbsp; [ldap] Entering ldap_groupcmp()
[files] expand: dc=plutone,dc=local -gt; dc=plutone,dc=local
[files] WARNING: Deprecated conditional expansion :-. nbsp;See man
unlang for details
[files] ... expanding second conditional
[files] expand: %{User-Name} -gt; sogo1
[files] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -gt;
(sAMAccountName=sogo1)
nbsp; [ldap] ldap_get_conn: Checking Id: 0
nbsp; [ldap] ldap_get_conn: Got Id: 0
nbsp; [ldap] performing search in dc=plutone,dc=local, with filter
(sAMAccountName=sogo1)
nbsp; [ldap] ldap_release_conn: Release Id: 0
[files] expand:
(|(amp;(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(amp;(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-gt;
(|(amp;(objectClass=GroupOfNames)(member=))(amp;(objectClass=GroupOfUniqueNames)(uniquemember=)))
nbsp; [ldap] ldap_get_conn: Checking Id: 0
nbsp; [ldap] ldap_get_conn: Got Id: 0
nbsp; [ldap] performing search in dc=plutone,dc=local, with filter
(amp;(cn=fax)(|(amp;(objectClass=GroupOfNames)(member=))(amp;(objectClass=GroupOfUniqueNames)(uniquemember=
nbsp; [ldap] object not found
nbsp; [ldap] ldap_release_conn: Release Id: 0
nbsp; [ldap] ldap_get_conn: Checking Id: 0
nbsp; [ldap] ldap_get_conn: Got Id: 0
nbsp; [ldap] performing search in CN=sogo1,CN=Users,DC=plutone,DC=local,
with filter (objectclass=*)
nbsp; [ldap] performing search in CN=Fax,CN=Users,DC=plutone,DC=local, with
filter (cn=fax)
rlm_ldap::ldap_groupcmp: User found in group fax
nbsp; [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 205
++[files] returns ok
[ldap] performing user authorization for sogo1
[ldap] WARNING: Deprecated conditional expansion :-. nbsp;See man
unlang for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -gt; sogo1
[ldap] expand: (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) -gt;
(sAMAccountName=sogo1)
[ldap] expand: dc=plutone,dc=local -gt; dc=plutone,dc=local
nbsp; [ldap] ldap_get_conn: Checking Id: 0
nbsp; [ldap] ldap_get_conn: Got Id: 0
nbsp; [ldap] performing search in dc=plutone,dc=local, with filter
(sAMAccountName=sogo1)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. nbsp;Are you sure that
the user is configured correctly?
[ldap] user sogo1 authorized to use remote access
nbsp; [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[sql] expand: %{User-Name} -gt; sogo1
[sql] sql_set_user escaped user --gt; 'sogo1'
rlm_sql (sql): Reserving sql socket id: 1
[sql] expand: SELECT id, username, attribute, value, op nbsp; nbsp; nbsp;
nbsp; nbsp; FROM radcheck nbsp; nbsp; nbsp; nbsp; nbsp; WHERE
username = '%{SQL-User-Name}' nbsp; nbsp; nbsp; nbsp; nbsp; ORDER BY id
-gt; SELECT id, username, attribute, value, op nbsp; nbsp; nbsp; nbsp;
nbsp; FROM radcheck nbsp; nbsp; nbsp; nbsp; nbsp; WHERE username =
'sogo1' nbsp; nbsp; nbsp; nbsp; nbsp; ORDER BY id
[sql] expand: SELECT groupname nbsp; nbsp; nbsp; nbsp; nbsp; FROM
radusergroup nbsp; nbsp; nbsp; nbsp; nbsp; WHERE username =
'%{SQL-User-Name}' nbsp; nbsp; nbsp; nbsp; nbsp; ORDER BY priority
-gt; SELECT groupname nbsp; nbsp; nbsp; nbsp; nbsp;
Re: Groups in active directory and checks in MySQL
On 08/26/2013 09:04 AM, Atomikramp wrote: but it's not giving the same result, the check against sql is ignored and the user is authed successfully. Because: [sql] User sogo1 not found ++[sql] returns notfound - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Groups in active directory and checks in MySQL
So, basically if i didn't understand incorrectly, the user must also exist in the sql database for it to be checked against the radgroupcheck table and for attributes in the radreply table to be sent back to the NAS. nbsp; an hybrid configuration cannot be done? as my schema, being an active directory, is pretty strict and i cant modify it without the risk of screwing it up, and even if i could mess with the schema, groupcheck when LDAP is nbsp;involved, in all examples i've seen, has always been done using file backend (raddb/users). nbsp; it would be really useful for me to be able to populate the groupcheck and radgroupreply tables with the parameters i need, and keep the user authentication in LDAP. nbsp; - Original Message Da: FreeRadius users mailing list lt;freeradius-users@lists.freeradius.orggt; To: freeradius-users@lists.freeradius.org lt;freeradius-users@lists.freeradius.orggt; Oggetto: Re: Groups in active directory and checks in MySQL Data: 26/08/13 13:22 On 08/26/2013 09:04 AM, Atomikramp wrote: gt; but it's not giving the same result, the check against sql is ignored gt; and the user is authed successfully. Because: gt; [sql] User sogo1 not found gt; ++[sql] returns notfound -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: SUPERMARIO: Acquista Peluche e T-shirt Originali su mistercupido.com Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12899d=20130826 -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it http://www.email.it/f Sponsor: BARBAPAPA': Acquista i Peluche Originali su mistercupido.com Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12898d=26-8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Groups in active directory and checks in MySQL
Hello everyone,
i know this might be considered a bizarre situation but well... i was just
wondering if it's possible to do such a thing.
nbsp;
I'm in a situation now where i can successfully retrieve group membership of
users in the active directory LDAP tree using rlm_ldap, and check them
against files.
nbsp;
so if i have a user with memberOf attribute set to groupA
and i set in the raddb/users the following entry:
nbsp;
DEFAULTLdap-Group == groupA, Auth-Type := Reject
Reply-Message = Not Allowed.
nbsp;
i successfully deny access to that user.
nbsp;
Since i'm already using MySQL for storing accounting informations i was
really interested in being able to use the same backend (mysql) also for
performing checks against groups.
nbsp;
If i perform checks against usernames using the table radcheck they work
properly (users retrieved from the LDAP backend), i've tried setting a
radcheck like the following:
userA Max-Daily-Session := 7200
nbsp;
and after 2 hours the user is unable to authenticate to the NAS because the
time allowed has expired.
nbsp;
nbsp;
But i cant seem to be able to do the same thing with the groups.
nbsp;
i've configured sites-enabled/default like this:
nbsp;
authorize {
preprocess
auth_log
chap
mschap
digest
suffix
eap {
ok = return
}
files
ldap
sql
expiration
logintime
pap
dailycounter
}
nbsp;
authenticate {
Auth-Type PAP {
pap
}
nbsp;
Auth-Type CHAP {
chap
}
nbsp;
Auth-Type MS-CHAP {
mschap
}
nbsp;
digest
unix
nbsp;
Auth-Type LDAP {
ldap
}
nbsp;
eap
}
nbsp;
preacct {
preprocess
acct_unique
suffix
files
}
nbsp;
accounting {
detail
sql
}
nbsp;
session {
radutmp
}
nbsp;
nbsp;
post-auth {
ldap
exec
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
attr_filter.access_reject
}
}
nbsp;
pre-proxy {
}
nbsp;
post-proxy {
eap
}
nbsp;
radiusd.conf like this
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log/freeradius
raddbdir = /etc/freeradius
radacctdir = ${logdir}/radacct
nbsp;
name = freeradius
nbsp;
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
nbsp;
db_dir = ${raddbdir}
nbsp;
libdir = /usr/lib/freeradius
nbsp;
pidfile = ${run_dir}/${name}.pid
nbsp;
user = freerad
group = freerad
nbsp;
max_request_time = 30
nbsp;
cleanup_delay = 5
nbsp;
max_requests = 1024
nbsp;
listen {
type = auth
ipaddr = *
port = 0
}
nbsp;
listen {
ipaddr = *
port = 0
type = acct
}
nbsp;
hostname_lookups = no
nbsp;
allow_core_dumps = no
nbsp;
regular_expressions= yes
extended_expressions= yes
nbsp;
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
nbsp;
checkrad = ${sbindir}/checkrad
nbsp;
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
nbsp;
proxy_requests nbsp;= yes
$INCLUDE proxy.conf
nbsp;
$INCLUDE clients.conf
nbsp;
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
nbsp;
modules {
$INCLUDE ${confdir}/modules/
$INCLUDE eap.conf
$INCLUDE sql.conf
$INCLUDE sql/mysql/counter.conf
}
nbsp;
instantiate {
exec
expr
expiration
logintime
}
nbsp;
and sql.conf
nbsp;
sql {
nbsp; nbsp; nbsp; nbsp; database = mysql
nbsp; nbsp; nbsp; nbsp; driver = rlm_sql_${database}
nbsp; nbsp; nbsp; nbsp; server = localhost
nbsp; nbsp; nbsp; nbsp; #port = 3306
nbsp; nbsp; nbsp; nbsp; login = radius
nbsp; nbsp; nbsp; nbsp; password = lt;removedgt;
nbsp; nbsp; nbsp; nbsp; radius_db = radius
nbsp; nbsp; nbsp; nbsp; acct_table1 = radacct
nbsp; nbsp; nbsp; nbsp; acct_table2 = radacct
nbsp; nbsp; nbsp; nbsp; postauth_table = radpostauth
nbsp; nbsp; nbsp; nbsp; authcheck_table = radcheck
nbsp; nbsp; nbsp; nbsp; authreply_table = radreply
nbsp; nbsp; nbsp; nbsp; groupcheck_table = radgroupcheck
nbsp; nbsp; nbsp; nbsp; groupreply_table = radgroupreply
nbsp; nbsp; nbsp; nbsp; usergroup_table = radusergroup
nbsp; nbsp; nbsp; nbsp; deletestalesessions = yes
nbsp; nbsp; nbsp; nbsp; sqltrace = no
nbsp; nbsp; nbsp; nbsp; sqltracefile = ${logdir}/sqltrace.sql
nbsp; nbsp; nbsp; nbsp; num_sql_socks = 5
nbsp; nbsp; nbsp; nbsp; connect_failure_retry_delay = 60
nbsp; nbsp; nbsp; nbsp; lifetime = 0
nbsp; nbsp; nbsp; nbsp; max_queries = 0
nbsp; nbsp; nbsp; nbsp; nas_table = nas
nbsp; nbsp; nbsp; nbsp; $INCLUDE sql/${database}/dialup.conf
nbsp; nbsp; nbsp; nbsp; $INCLUDE sql/${database}/counter.conf
}
nbsp;
any help is really welcome.
thanks and sorry if i couldn't explain myself properly please correct me.
nbsp;
--
Caselle da 1GB,
Re: Groups in active directory and checks in MySQL
Atomikramp wrote: I'm in a situation now where i can successfully retrieve group membership of users in the active directory LDAP tree using rlm_ldap, and check them against files. OK. so if i have a user with memberOf attribute set to groupA and i set in the raddb/users the following entry: DEFAULTLdap-Group == groupA, Auth-Type := Reject Reply-Message = Not Allowed. i successfully deny access to that user. That should map directly to the SQL tables. Since i'm already using MySQL for storing accounting informations i was really interested in being able to use the same backend (mysql) also for performing checks against groups. If i perform checks against usernames using the table radcheck they work properly (users retrieved from the LDAP backend), i've tried setting a radcheck like the following: userA Max-Daily-Session := 7200 and after 2 hours the user is unable to authenticate to the NAS because the time allowed has expired. But i cant seem to be able to do the same thing with the groups. Post the debug output. And what do you have in SQL? i've configured sites-enabled/default like this: Note that the FAQ, README, man pages, and web pages ALL say to post the debug output. We really don't care about the configuration. It doesn't show what happens when the server receives a request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Groups in active directory and checks in MySQL
Il 23/08/2013 21:31, Alan DeKok ha scritto: Post the debug output. And what do you have in SQL? Hello, thanks for your reply and apologizes for the mistake, unfortunately (depending from the point of view) since it's weekend i won't be able to post any debug log till monday as i didn't bring the server home for the weekend nor i have a VPN to the work site :) 'till then, again, thank you very much for the reply and support. Sincerely Francesco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
