[RADIATOR] Mapping AD groups to TACAS+ groups

Alexander Hartmaier alexander.hartmaier at t-systems.at
Fri Oct 8 12:18:32 CDT 2010 

We have the same need and I've written some hooks that do what you want.
We have multiple radiator instances proxying tacacs+ requests to our central instance with radius.
We use the OSC-Group-Identifier radius attribute for the tacacsgroup on the outer instances and build the ldap dn from it on the central instance and store it in a attribute not contained in the dictionary called OSC-Group-Identifier-LDAP.

Put this in your Handler which contains the AuthBy LDAP2:

PreAuthHook file:"%D/create-osc-group-identifier-ldap.pl"

This in your AuthBy LDAP2 section:
AuthAttrDef memberOf,OSC-Group-Identifier-LDAP,check

Create a file in your radiator directory called create-osc-group-identifier-ldap.pl with the following contents:

# transforms the OSC-Group-Identifier to the ldap format and store it in another attribute
sub {
    my $p = ${$_[0]};

    my $group;


    if ($group = $p->get_attr('OSC-Group-Identifier')) {
        # that's the current ldap groupname:
        # CN=SUPPORT_OUR.GROUP.NAME,OU=_Groups,DC=our,DC=company,DC=at
        $group = "CN=SUPPORT_$group,OU=_Groups,DC=our,DC=company,DC=at";

        &main::log($main::LOG_DEBUG, "OSC-Group-Identifier-LDAP = $group");

        $p->change_attr('OSC-Group-Identifier-LDAP', $group);
    }

    return;
}

You can verify that the hook is ok by running perl -c $filename.

HTH



--
Regards, Alex




Am Dienstag, den 28.09.2010, 02:00 +0200 schrieb Hugh Irvine:


Hello Waldemar -

If you already know the group from the SearchFilter query, you can just use an AddToReply like this:


###############################################
        <AuthBy LDAP2>
                Identifier ASA-Admin

                Host            w3kvm.adtest.corporate.net
                HoldServerConnection

                AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
                AuthPassword    XXXXX
                BaseDN          dc=adtest,dc=corporate,dc=net
                ServerChecksPassword
                UsernameAttr sAMAccountName

                SearchFilter (&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))

                AddToReply tacacsgroup = ASAADMINS

                Debug 255
        </AuthBy>
###############################################
<ServerTACACSPLUS>


regards

Hugh


On 27 Sep 2010, at 18:40, <W.Siebert at t-systems.com<mailto:W.Siebert at t-systems.com>> <W.Siebert at t-systems.com<mailto:W.Siebert at t-systems.com>> wrote:

> Hello,
>
> I try to implement the mapping of AD groups to TACAS+ groups.
>
> Witch AuthAttrDef memberOf,tacacsgroup,reply will be the complete LDAP string delivered:
> tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
>
> My question: it is possible to strip all the unnecessary parts to deliver "ASAADMINS" only to tacacsgroup?
>
> I read manual and mailinlist diligently, but was not clever.
>
> Thanks for your help
>
>
>
> Here an extract of my config:
> ###############################################
>         <AuthBy LDAP2>
>                 Identifier ASA-Admin
>
>                 Host            w3kvm.adtest.corporate.net
>                 HoldServerConnection
>
>                 AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
>                 AuthPassword    XXXXX
>                 BaseDN          dc=adtest,dc=corporate,dc=net
>                 ServerChecksPassword
>                 UsernameAttr sAMAccountName
>
>                 SearchFilter (&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))
>
>                 AuthAttrDef memberOf,tacacsgroup,reply
>
>                 Debug 255
>         </AuthBy>
> ###############################################
> <ServerTACACSPLUS>
>          GroupMemberAttr tacacsgroup
>
>                 AuthorizeGroup ASAADMINS permit service=shell cmd=show cmd-arg=.*
>                 AuthorizeGroup group1 deny .*
> .....................
> </ServerTACACSPLUS>
> ###############################################
>
> Here an extract of my Log:
>
>
> Sun Sep 26 19:27:09 2010: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Sun Sep 26 19:27:09 2010: DEBUG: Access accepted for aduser01
> Sun Sep 26 19:27:09 2010: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  ,|C<229><152><134><142>p? U<154>qSk<191>
> Attributes:
>         tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
>
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection result Access-Accept
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection request 193, 2, 2, 0, 1234, 79
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request packet dump: c1020200000004d20000004f0e63dedad6576899fad69068509e9bc4dd7fe3edaab83f773ddf0d4679cdadcbca8cd54899138d3cf493fc776e476146108586b5ff3052adcca129fb3fc2b59ca16a8ef718f1f2753f2c136795f90b
> Sun Sep 26 19:27:09 2010: DEBUG: Decrypting TacacsPlus request
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request decrypted body: 0600020015030a030d080d61647573657230314061646d696e732e7265616c6d31323374657374636c69656e74736572766963653d7368656c6c636d643d73686f77636d642d6172673d686f737431
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization REQUEST 6, 0, 2, 0, aduser01 at admins.realm<mailto:aduser01 at admins.realm>, 123, testclient, 3, service=shell cmd=show cmd-arg=host1
> Sun Sep 26 19:27:09 2010: INFO: Authorization denied for aduser01 at admins.realm<mailto:aduser01 at admins.realm>, group CN=ASAADMINS,DC=adtest,DC=corporate,DC=net. No matching AuthorizeGroup rule for args service=shell cmd=show cmd-arg=host1
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authorization RESPONSE 16, denied, ,
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection disconnected from 10.11.11.2:1786
>
>
> Kind regards
> Waldemar Siebert
>
> T-Systems International GmbH
> Corporate Customers
> Telecommunications Services & Solutions (TSS)
> Technical Engineering (TSS TE) - Security, Production Engineering & Lab
> Dipl.-Ing. Waldemar Siebert
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au<mailto:radiator at open.com.au>
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator<http://www.open.com.au/archives/radiator>)?
Have you had a quick look on Google (www.google.com<http://www.google.com>)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101008/fc27e3d6/attachment.html

More information about the radiator mailing list