[RADIATOR] LDAP2 authorizing multiple email domains from mail attribute?

Jennifer Mehl jmehl at physics.ucsb.edu
Mon Apr 26 18:55:02 CDT 2010 

Here is my debug log:

Mon Apr 26 16:51:07 2010: DEBUG: Handling with Radius::AuthLDAP2: BY_UCSB_LDAP
Mon Apr 26 16:51:07 2010: INFO: Attempting to bind to LDAP server directory.ucsb.edu:636
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got result for ucsbcampusid=a313b430-03be-11d8-8ba0-0003472a8354, o=UCSB
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbaffiliation: employee
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbcampusid: a313b430-03be-11d8-8ba0-0003472a8354
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got givenName: Jennifer
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got sn: Mehl
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got objectClass: top person ucsbperson ctcaluser
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got uid: jennifer_mehl
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got cn: Jennifer L Mehl
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbcufn: Jennifer
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got displayName: Mehl, Jennifer
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got mail: jmehl at physics.ucsb.edu
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbdepartment: Physics
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got title: Sr. Systems Administrator
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbemailbusiness1: jmehl at physics.ucsb.edu
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got telephoneNumber: 805-893-8366
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got registeredAddress: 9530
Mon Apr 26 16:51:07 2010: DEBUG: LDAP got initials: L
Mon Apr 26 16:51:07 2010: DEBUG: Radius::AuthLDAP2 looks for match with jennifer_mehl [jennifer_mehl]
Mon Apr 26 16:51:07 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: : jennifer_mehl [jennifer_mehl]
Mon Apr 26 16:51:07 2010: DEBUG: AuthBy LDAP2 result: ACCEPT, 


I'd like to be able to filter on the mail attribute containing 'physics.ucsb.edu' or a few other individual .ucsb.edu subdomains.

thanks,
Jennifer


On Apr 26, 2010, at 4:11 PM, Hugh Irvine wrote:

> 
> Hello Jennifer -
> 
> If you add "Debug 255" to your AuthBy LDAP2 clause, then run radiusd from the command line, we will be able to see everything that comes back from the LDAP query.
> 
> You should do this in the lab, and once we see what we are dealing with we can decide how best to proceed.
> 
> In general, you just need to use a SearchFilter to define a suitable query, rather than AuthAttrDef which operates on the contents of the incoming request.
> 
> See section 5.36.15 in the Radiator 4.6 reference manual ("doc/ref.pdf").
> 
> 
> 5.36.15 SearchFilter
> 
> Normally, the search filter that is used to find a matching user name is
> 
> (uid=name)
> 
> where uid is the name of the LDAP attribute defined by the UsernameAttr parameter, and name is the name of the user currently being authenticated. For advanced applications, you can completely alter the search filter that Radiator will use by using the optional SearchFilter parameter. It allows you to use arbitrarily complicated LDAP search filters to select or exclude users based on attributes other than their user name. Special formatting characters are permitted, and %0 is replaced by UsernameAttr and %1 by the user name. For example, this SearchFilter will only match users with the appropriate setting of their ‘current’ attribute:
> 
> SearchFilter (&(current=1)(uid=%1))
> 
> In SearchFilter, you an use any special formatting character. For backwards compatibility, perl variables used to be interpolated, but this has been removed. The default setting for SearchFilter is ‘(%0=%1)’, which will match the user name against the LDAP attribute defined by the UsernameAttr parameter (usually ‘uid’). Therefore the default search string is (uid=name).
> 
> 
> regards
> 
> Hugh
> 
> 
> On 27 Apr 2010, at 08:39, Jennifer Mehl wrote:
> 
>> Hi there,
>> 
>> I'm using the AUTHBYLDAP2 to do simple authentication to our campus LDAP directory for VPN services.  It is working fine so far.
>> 
>> I'd like to further limit access to this VPN service to authenticated users with particular email domains in their mail LDAP attribute.  There are to be 4 different "allowed" email domains.
>> 
>> How do I best do this?  I believe I need to use AuthAttrDef and look for the mail LDAP attribute, but not sure exactly how to accept the authentication if the correct email domain exists, and deny if the attribute is empty or contains any other domain.
>> 
>> I'm using RADIATOR 4.0 on Linux.
>> 
>> 
>> Here is the relevant part of radius.cfg:
>> 
>> <Handler>
>>       # strip realm
>>       RewriteUsername s/^([^@]+).*/$1/
>>       # lowercase
>>       RewriteUsername tr/A-Z/a-z/
>>       AuthByPolicy ContinueUntilAccept
>>       AuthBy BY_FILE
>>       AuthBy BY_UCSB_LDAP
>> </Handler>
>> 
>> 
>> Here is my relevant AUTHBYLDAP2 clause:
>> 
>> #UCSB LDAP Directory 
>> <AuthBy LDAP2>
>>               Identifier      BY_UCSB_LDAP
>>               include /etc/radiator/ucsbldap.cfg
>> </AuthBy LDAP2>
>> 
>> 
>> Here is ucsbldap.cfg:
>> 
>> 
>> Host                    directory.ucsb.edu
>> BaseDN                  o=ucsb
>> UsernameAttr            uid
>> PasswordAttr            userPassword
>> ServerChecksPassword
>> FailureBackoffTime 10
>> 
>> 
>> # You can enable debugging of the Net::LDAP
>> # module with this:
>> Debug 255
>> 
>> UseSSLSSLCAFile /usr/share/ssl/cert.pem
>> SSLVerify       require
>> 
>> 
>> 
>> Thanks for any assistance!
>> 
>> --Jennifer
>> 
>> 
>> ==================================
>> Jennifer L. Mehl
>> Senior Systems Administrator
>> University of California, Santa Barbara
>> Physics Computing Services
>> mailto:jmehl at physics.ucsb.edu
>> (805) 893-8366, ext 2 (work)
>> ...also rings when working from home
>> Skype:ucsb.physics.mehl_j
>> (805) 451-7486 (cell)
>> ==================================
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 
> 

==================================
Jennifer L. Mehl
Senior Systems Administrator
University of California, Santa Barbara
Physics Computing Services
mailto:jmehl at physics.ucsb.edu
(805) 893-8366, ext 2 (work)
...also rings when working from home
Skype:ucsb.physics.mehl_j
(805) 451-7486 (cell)
==================================

More information about the radiator mailing list