Discussion:
LDAP Post-Auth with computer names using eap-tls certs
Kevin Virk
2018-11-28 21:39:54 UTC
Permalink
So ill give a brief summary of everything I have done so far. I have set a freeradius server to work with certs. I orignally had the certs named by user name but my company had decided that computer names was the way the wanted to go. So i changed the certs to hand out the sam account name of the computer. Previously the LDAP I had set up in post-auth was working with the username and works with the computer name as well however my company has decided that the ldap queries are to plentiful and would like to narrow them down. Let me backtrack for a second as this is important to the problem. LDAP is to be used to identify a user in a specific group and then authorize and put them into a vlan. Like I said this was all working with usernames and computer names. However because the AD is setup in a way that certain computer groups are nested in larger vlan groups I had to manually query for the lower level groups instead of the overarching vlan group because i needed the query to return computer names not more workstation groups. So here I am I have this query that works in ldp.exe



(&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local))


This query returns computer names and works in ldp. Below are snippets from my conf files
ldap module conf

 user {
                #  Where to start searching in the tree for users
                base_dn = "${..base_dn}"

                #  Filter for user objects, should be specific enough
                #  to identify a single user object.
                #
                #  For Active Directory, you should use
                #  "samaccountname=" instead of "uid="
                #
                filter = "(sAMAccountname=%{%{Stripped-User-Name}:-%{User-Name}})"

group {
# Where to start searching in the tree for groups
base_dn = "${..base_dn}"

# Filter for group objects, should match all available
# group objects a user might be a member of.
# filter = '(objectClass=posixGroup)'

# Search scope, may be 'base', 'one', sub' or 'children'
# scope = 'sub'
# Attribute that uniquely identifies a group.
# Is used when converting group DNs to group
# names.
# name_attribute = cn

# Filter to find group objects a user is a member of.
# That is, group objects with attributes that
# identify members (the inverse of membership_attribute).
membership_filter = "(|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))"

# The attribute in user objects which contain the names
# or DNs of groups a user is a member of.
#
# Unless a conversion between group name and group DN is
# needed, there's no requirement for the group objects
# referenced to actually exist.
membership_attribute = 'member:1.2.840.113556.1.4.1941'

Default site

ldap query example

ldap
if(LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"){
update reply{
&Tunnel-Type := "VLAN"
&Tunnel-Medium-Type := "6"
&Tunnel-Private-Group-Id := "103"
}

Here is a snippet from the error in the debug output.
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Bind successful
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Bind successful
Mon Nov 26 23:53:09 2018 : Debug: (5) User object found at DN "CN=ComputerName,OU=Computers,OU=Departments,DC=testDomain,DC=net"
Mon Nov 26 23:53:09 2018 : Debug: (5) Checking for user in group objects
Mon Nov 26 23:53:09 2018 : Debug: (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: Parsed xlat tree:
Mon Nov 26 23:53:09 2018 : Debug: literal --> (|(&(objectClass=computer)(member=
Mon Nov 26 23:53:09 2018 : Debug: attribute --> LDAP-UserDN
Mon Nov 26 23:53:09 2018 : Debug: literal --> )))
Mon Nov 26 23:53:09 2018 : Debug: (5) EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: (5) --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))
Mon Nov 26 23:53:09 2018 : Debug: (5) Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: (5) Bind successful
Mon Nov 26 23:53:09 2018 : Debug: (5) Performing search in "CN=VLAN,OU=generalgroups,OU=Departments,DC=testDomain,DC=local" with filter "(|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))", scope "sub"
Mon Nov 26 23:53:09 2018 : Debug: (5) Waiting for search result...
Mon Nov 26 23:53:09 2018 : Debug: (5) Search returned no results
Mon Nov 26 23:53:09 2018 : Debug: (5) Checking user object's member:1.2.840.113556.1.4.1941 attributes
Mon Nov 26 23:53:09 2018 : Debug: (5) Performing unfiltered search in "CN=computerName,OU=computers,OU=Departments,DC=testDomain,DC=local", scope "base"
Mon Nov 26 23:53:09 2018 : Debug: (5) Waiting for search result...
Mon Nov 26 23:53:09 2018 : Debug: (5) No group membership attribute(s) found in user object
Mon Nov 26 23:53:09 2018 : Info: rlm_ldap (ldap): Deleting connection (5) - Was referred to a different LDAP server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap: Closing libldap handle 0x9cc450
Mon Nov 26 23:53:09 2018 : Info: Need 3 more connections to reach min connections (3)
Mon Nov 26 23:53:09 2018 : Info: rlm_ldap (ldap): Opening additional connection (6), 1 of 32 pending slots used
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Connecting to ldap://server
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): New libldap handle 0x9cc450
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Waiting for bind result...
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Bind successful
Mon Nov 26 23:53:09 2018 : Debug: (5) User is not a member of "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"
Mon Nov 26 23:53:09 2018 : Debug: (5) if (LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local") -> FALSE

I am sure that my syntax is wrong somewhere, maybe the ldap-group part in the ldap query? I would like to point out that it does find the group when switch the object class to group from computer but only in the sub groups and not the larger group. Any help would be greatly appreciated






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/u
Alan DeKok
2018-11-28 21:48:47 UTC
Permalink
Post by Kevin Virk
So ill give a brief summary of everything I have done so far. I have set a freeradius server to work with certs. I orignally had the certs named by user name but my company had decided that computer names was the way the wanted to go. So i changed the certs to hand out the sam account name of the computer. Previously the LDAP I had set up in post-auth was working with the username and works with the computer name as well however my company has decided that the ldap queries are to plentiful and would like to narrow them down. Let me backtrack for a second as this is important to the problem. LDAP is to be used to identify a user in a specific group and then authorize and put them into a vlan. Like I said this was all working with usernames and computer names. However because the AD is setup in a way that certain computer groups are nested in larger vlan groups I had to manually query for the lower level groups instead of the overarching vlan group because i needed the query to return computer names not more workstation groups. So here I am I have this query that works in ldp.exe
Ok...
Post by Kevin Virk
This query returns computer names and works in ldp. Below are snippets from my conf files
ldap module conf
Please don't post the config. All of the documentation say to *not* do that. Especially this:

http://wiki.freeradius.org/list-help
Post by Kevin Virk
if(LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"){
That's not really how the LDAP-Group check operates. See the Wiki, there's documentation on this.

It's meant to check just the group name:

if (LDAP-Group == "vlan") { ...
Post by Kevin Virk
Here is a snippet from the error in the debug output.
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server
PLEASE follow the instructions for debug output. It really is documented *everywhere*. Use "radiusd -X", and not anything else.
Post by Kevin Virk
Mon Nov 26 23:53:09 2018 : Debug: (5) EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: (5) --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))
Note that the "=" is escaped to "\2c". Which should be a hint that you should be using just the group name.
Post by Kevin Virk
I am sure that my syntax is wrong somewhere, maybe the ldap-group part in the ldap query? I would like to point out that it does find the group when switch the object class to group from computer but only in the sub groups and not the larger group. Any help would be greatly appreciated
LDAP group checking doesn't not search subgroups. It only checks the main groups that a user is a member of.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.f
Kevin Virk
2018-11-28 22:00:06 UTC
Permalink
So ill give a brief summary of everything I have done so far. I have set a freeradius server to work with certs. I orignally had the certs named by user name but my company had decided that computer names was the way the wanted to go. So i changed the certs to hand out the sam account name of the computer. Previously the LDAP I had set up in post-auth was working with the username and works with the computer name as well however my company has decided that the ldap queries are to plentiful and would like to narrow them down. Let me backtrack for a second as this is important to the problem. LDAP is to be used to identify a user in a specific group and then authorize and put them into a vlan. Like I said this was all working with usernames and computer names. However because the AD is setup in a way that certain computer groups are nested in larger vlan groups I had to manually query for the lower level groups instead of the overarching vlan group because i needed the query to return computer names not more workstation groups. So here I am I have this query that works in ldp.exe
Ok...
This query returns computer names and works in ldp. Below are snippets from my conf files
ldap module conf
Please don't post the config. All of the documentation say to *not* do that. Especially this:

http://wiki.freeradius.org/list-help
if(LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"){
That's not really how the LDAP-Group check operates. See the Wiki, there's documentation on this.

It's meant to check just the group name:

if (LDAP-Group == "vlan") { ...
Here is a snippet from the error in the debug output.
Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server
PLEASE follow the instructions for debug output. It really is documented *everywhere*. Use "radiusd -X", and not anything else.
Mon Nov 26 23:53:09 2018 : Debug: (5) EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: (5) --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))
Note that the "=" is escaped to "\2c". Which should be a hint that you should be using just the group name.
I am sure that my syntax is wrong somewhere, maybe the ldap-group part in the ldap query? I would like to point out that it does find the group when switch the object class to group from computer but only in the sub groups and not the larger group. Any help would be greatly appreciated
LDAP group checking doesn't not search subgroups. It only checks the main groups that a user is a member of.

Alan DeKok.

Thank you for the help Alan and I apologize for the mistakes in posting.
Mon Nov 26 23:53:09 2018 : Debug: (5) EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: (5) --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))
Note that the "=" is escaped to "\2c". Which should be a hint that you should be using just the group name.
hmm it has been working that way with the queries but I will change that thank you.
LDAP group checking doesn't not search subgroups. It only checks the main groups that a user is a member of.
So im understanding correctly if a computer is set up as so Computername-> Group membership-> computer security group
and if that computer security group is part of vlan group quering that vlan group wont work because it will only return the security groups not the workstations that are part of the security groups?

Is there no way then to query for the computers that belong in a group because like I said atop this query does work and does give me back all computers in the top level group

(&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=vlan,OU=generalgroups,OU=Departments,DC=testdomain,DC=local))

Is there no way for that query above to work in freeradius?




------------------------------

Subject: Digest Footer

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

------------------------------

End of Freeradius-Users Digest, Vol 163, Issue 145
**************************************************



-
List info/subscribe/unsubscribe?
Alan DeKok
2018-11-28 22:05:07 UTC
Permalink
Post by Kevin Virk
Thank you for the help Alan and I apologize for the mistakes in posting.
Please also *edit* the posts you make. We don't need to re-read the previous message before getting to any new content.

The harder you make it for us help you, the less likely we are to help you.
Post by Kevin Virk
Mon Nov 26 23:53:09 2018 : Debug: (5) EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
Mon Nov 26 23:53:09 2018 : Debug: (5) --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))
Note that the "=" is escaped to "\2c". Which should be a hint that you should be using just the group name.
hmm it has been working that way with the queries but I will change that thank you.
Has it been working with FreeRADIUS? Or with a command-line tool?
Post by Kevin Virk
LDAP group checking doesn't not search subgroups. It only checks the main groups that a user is a member of.
So im understanding correctly if a computer is set up as so Computername-> Group membership-> computer security group
and if that computer security group is part of vlan group quering that vlan group wont work because it will only return the security groups not the workstations that are part of the security groups?
Generally, yes.
Post by Kevin Virk
Is there no way then to query for the computers that belong in a group because like I said atop this query does work and does give me back all computers in the top level group
(&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=vlan,OU=generalgroups,OU=Departments,DC=testdomain,DC=local))
That's likely an AD extension to the LDAP standard. It might not work with other LDAP servers.
Post by Kevin Virk
Is there no way for that query above to work in freeradius?
Yes. You should be able to edit the LDAP "group" configuration to set the "filter" to the correct value. Or maybe the "membership_filter"

The issue here is that FreeRADIUS is intended to work with *multiple* different LDAP servers. Adding specific magic just for AD isn't always simple.

Alan DeKok.


-
List info/subscribe/unsubscr
Kevin Virk
2018-12-03 17:36:58 UTC
Permalink
Has it been working with FreeRADIUS? Or with a command-line tool?
It has been working with Freeradius.
That's likely an AD extension to the LDAP standard. It might not work with other LDAP servers.
Ahh yess that makes sense thank you very much.
The issue here is that FreeRADIUS is intended to work with *multiple* different LDAP servers. Adding specific magic just for AD isn't always simple.
I believe that is what is going on here. I will just revert back to the stage where it was working!

Thank you so much Alan as always you have been a great help





-
List info/subscribe/unsubscribe? See http://www.freeradi

Loading...