(RADIATOR) LDAP Auth against Microsoft AD - limiting access by AD Group

Gavin Norman gavin.norman at europcar.com.au
Mon May 21 01:44:13 CDT 2007 

I managed to get this working using a PostSearchHook:

The relevant handler:

<Handler Realm=my.realm>
	Description <LDAP group to check for>
	AuthBy AuthByLDAP
</Handler>

And the PostSearchHook:

#!/usr/bin/env perl
sub
{
	my @grps = $_[4]->get("memberOf");
	my $grp;
	my $acc = 0;
	my $grp_desc =
Radius::Util::format_special("%{Handler:Description}", $_[2], $_[5]);

	foreach $grp (@grps) 
	{
		$grp =~ s/(CN\=| CN\=)//g;
		$grp =~ s/,OU\=(.*?),DC\=my,DC\=domain/g;

		if ($grp eq $grp_desc)
		{
			$acc = 1;
		}
	}	

	if ($acc)
	{
		$_[0]->log($main::LOG_DEBUG, "LDAP Access-Accepted",
$_[2]);
	}
	else
	{
		$_[0]->log($main::LOG_ERR, "LDAP Access-Rejected",
$_[2]);
		$_[3]->get_check->add_attr("Encrypted-Password",
"**nevermatch-");
	}
}

Cheers,

Gavin Norman

-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] On
Behalf Of Hugh Irvine
Sent: Wednesday, 9 May 2007 6:29 PM
To: Chris Rosan
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) LDAP Auth against Microsoft AD - limiting access
by AD Group


Hello Chris -

I suggest you add "Debug 255" to the AuthBy LDAP2 clause so you can  
see the LDAP debugging.

Please send me the configuration file and the trace 4 debug showing  
both the AuthAttrDef attempt and the SearchFilter attempt.

regards

Hugh



On 9 May 2007, at 13:49, Chris Rosan wrote:

> Hugh, this is what the relevant section looks like:
>
> <AuthBy LDAP2>
>     Identifier AuthByLDAP
>
>     Host ldaphost
>     HoldServerConnection
>     Timeout 4
>     Port 3268
>
>     AuthDN cn=Auth Account,cn=Users,dc=my,dc=domain,dc=com,dc=au
>     AuthPassword    authpass
>     BaseDN          ou=Users,dc=my,dc=domain,dc=com,dc=au
>     ServerChecksPassword
>
>     UsernameAttr sAMAccountName
>     AuthAttrDef memberOf,"VPN Remote Access",check
>    #SearchFilter (&(memberOf=CN=VPN Remote
> Access,OU=Groups,DC=my,DC=domain,DC=com,DC=au))
> </AuthBy>
>
> <Handler NAS-IP-Address=192.168.0.1,Realm=my.domain.com.au>
>     RewriteUsername s/\@my\.domain\.com\.au//
>     RewriteUsername tr/./ /
>     AuthBy AuthByLDAP
> </Handler>
>
> Regardless of the group membership this will authenticate. I've
> attempted this with a search filter also, with the same result.
>
> Chris
> This e-mail and any files attached to it are confidential and
> intended solely for the use of the individual or entity to
> whom they are addressed. If you have received this e-mail
> inadvertently or you are not the intended recipient, you may
> not distribute, copy or in any way rely on it. Further, you
> should notify the sender immediately and delete the e-mail
> from your computer. The contents and opinions contained in
> this e-mail are those of the individual sender unless they
> are expressly stated to be those of Europcar. Whilst we have
> taken precautions to alert us to the presence of computer
> viruses, we cannot and do not guarantee that this email and
> any files transmitted with it are free from such viruses.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

########################################################################
#############
This email was scanned for your safety and protection from
viruses and offensive content. mailmarshal at europcar.com.au
########################################################################
#############
This e-mail and any files attached to it are confidential and 
intended solely for the use of the individual or entity to 
whom they are addressed. If you have received this e-mail 
inadvertently or you are not the intended recipient, you may 
not distribute, copy or in any way rely on it. Further, you 
should notify the sender immediately and delete the e-mail 
from your computer. The contents and opinions contained in 
this e-mail are those of the individual sender unless they 
are expressly stated to be those of Europcar. Whilst we have 
taken precautions to alert us to the presence of computer 
viruses, we cannot and do not guarantee that this email and 
any files transmitted with it are free from such viruses.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list