[RADIATOR] LDAP2 authorizing multiple email domains from mail attribute?

Raphael Luta raphael.luta at aptiwan.com
Tue Apr 27 03:59:28 CDT 2010


It would probably be better written like this:

> SearchFilter (&(%0=%1)(|(mail = *@physics.ucsb.edu)(mail = *@math.ucsb.edu)(mail = *@cs.ucsb.edu)))

to avoid matching entries like myuser at fakephysics.ucsb.edu (and adding the missing final parenthesis).

Note that if you have a large LDAP database (hundred of thousands to millions of entries), this query can be 
used to severely cripple the server performance if the user only enters '*' as his username because the mail
clauses in the query will not use any index

An alternate set-up would be:

Define in your dictionary:
VENDOR      UCSB        99999
VENDORATTR  99999       UCSB-Mail                      0       string


radius.cfg
<Handler>
    # strip realm
    RewriteUsername s/^([^@]+).*/$1/
    # lowercase
    RewriteUsername tr/A-Z/a-z/
    AuthByPolicy ContinueUntilAccept
    AuthBy BY_FILE
    <AuthBy GROUP>
    	AuthByPolicy ContinueWhileAccept
    	AuthBy BY_UCSB_LDAP
	AuthBy CHECK_DOMAINS
    </AuthBy>
</Handler>

<AuthBy LDAP2>
            Identifier      BY_UCSB_LDAP
            include /etc/radiator/ucsbldap.cfg

	    AuthAttrDef mail,UCSB-Mail,request
</AuthBy>

<AuthBy FILE>
	Identifier CHECK_DOMAINS
	IgnoreAccounting
	Filename %D/allowed_groups
</AuthBy>


%D/allowed_groups
DEFAULT 	UCSB-Mail = /@physics\.ucsb\.edu$/
		Accept-Type = ACCEPT

DEFAULT 	UCSB-Mail = /@math\.ucsb\.edu$/
		Accept-Type = ACCEPT

DEFAULT 	UCSB-Mail = /@xxxx\.ucsb\.edu$/
		Accept-Type = ACCEPT

DEFAULT 	
		Accept-Type = REJECT

The setup is more complex but will also give you the flexibility to set group based radius reply attributes (Session-Timeout for example) if you need them in the allowed_groups file.

-- raphael

Le 27 avr. 2010 à 03:34, Hugh Irvine a écrit :

> 
> Hello Jennifer -
> 
> You will need to do some tests and check your LDAP reference material (see for example http://www.rfc-editor.org/rfc/rfc2254.txt), but something like this should work:
> 
> 
> 
> 	SearchFilter (&(%0=%1)(|(mail = *physics.ucsb.edu)(mail = *math.ucsb.edu)(mail = *cs.ucsb.edu))
> 
> 
> 
> regards
> 
> Hugh
> 
> 
> On 27 Apr 2010, at 09:55, Jennifer Mehl wrote:
> 
>> Here is my debug log:
>> 
>> Mon Apr 26 16:51:07 2010: DEBUG: Handling with Radius::AuthLDAP2: BY_UCSB_LDAP
>> Mon Apr 26 16:51:07 2010: INFO: Attempting to bind to LDAP server directory.ucsb.edu:636
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got result for ucsbcampusid=a313b430-03be-11d8-8ba0-0003472a8354, o=UCSB
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbaffiliation: employee
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbcampusid: a313b430-03be-11d8-8ba0-0003472a8354
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got givenName: Jennifer
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got sn: Mehl
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got objectClass: top person ucsbperson ctcaluser
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got uid: jennifer_mehl
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got cn: Jennifer L Mehl
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbcufn: Jennifer
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got displayName: Mehl, Jennifer
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got mail: jmehl at physics.ucsb.edu
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbdepartment: Physics
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got title: Sr. Systems Administrator
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbemailbusiness1: jmehl at physics.ucsb.edu
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got telephoneNumber: 805-893-8366
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got registeredAddress: 9530
>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got initials: L
>> Mon Apr 26 16:51:07 2010: DEBUG: Radius::AuthLDAP2 looks for match with jennifer_mehl [jennifer_mehl]
>> Mon Apr 26 16:51:07 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: : jennifer_mehl [jennifer_mehl]
>> Mon Apr 26 16:51:07 2010: DEBUG: AuthBy LDAP2 result: ACCEPT, 
>> 
>> 
>> I'd like to be able to filter on the mail attribute containing 'physics.ucsb.edu' or a few other individual .ucsb.edu subdomains.
>> 
>> thanks,
>> Jennifer
>> 
>> 
>> On Apr 26, 2010, at 4:11 PM, Hugh Irvine wrote:
>> 
>>> 
>>> Hello Jennifer -
>>> 
>>> If you add "Debug 255" to your AuthBy LDAP2 clause, then run radiusd from the command line, we will be able to see everything that comes back from the LDAP query.
>>> 
>>> You should do this in the lab, and once we see what we are dealing with we can decide how best to proceed.
>>> 
>>> In general, you just need to use a SearchFilter to define a suitable query, rather than AuthAttrDef which operates on the contents of the incoming request.
>>> 
>>> See section 5.36.15 in the Radiator 4.6 reference manual ("doc/ref.pdf").
>>> 
>>> 
>>> 5.36.15 SearchFilter
>>> 
>>> Normally, the search filter that is used to find a matching user name is
>>> 
>>> (uid=name)
>>> 
>>> where uid is the name of the LDAP attribute defined by the UsernameAttr parameter, and name is the name of the user currently being authenticated. For advanced applications, you can completely alter the search filter that Radiator will use by using the optional SearchFilter parameter. It allows you to use arbitrarily complicated LDAP search filters to select or exclude users based on attributes other than their user name. Special formatting characters are permitted, and %0 is replaced by UsernameAttr and %1 by the user name. For example, this SearchFilter will only match users with the appropriate setting of their ‘current’ attribute:
>>> 
>>> SearchFilter (&(current=1)(uid=%1))
>>> 
>>> In SearchFilter, you an use any special formatting character. For backwards compatibility, perl variables used to be interpolated, but this has been removed. The default setting for SearchFilter is ‘(%0=%1)’, which will match the user name against the LDAP attribute defined by the UsernameAttr parameter (usually ‘uid’). Therefore the default search string is (uid=name).
>>> 
>>> 
>>> regards
>>> 
>>> Hugh
>>> 
>>> 
>>> On 27 Apr 2010, at 08:39, Jennifer Mehl wrote:
>>> 
>>>> Hi there,
>>>> 
>>>> I'm using the AUTHBYLDAP2 to do simple authentication to our campus LDAP directory for VPN services.  It is working fine so far.
>>>> 
>>>> I'd like to further limit access to this VPN service to authenticated users with particular email domains in their mail LDAP attribute.  There are to be 4 different "allowed" email domains.
>>>> 
>>>> How do I best do this?  I believe I need to use AuthAttrDef and look for the mail LDAP attribute, but not sure exactly how to accept the authentication if the correct email domain exists, and deny if the attribute is empty or contains any other domain.
>>>> 
>>>> I'm using RADIATOR 4.0 on Linux.
>>>> 
>>>> 
>>>> Here is the relevant part of radius.cfg:
>>>> 
>>>> <Handler>
>>>>     # strip realm
>>>>     RewriteUsername s/^([^@]+).*/$1/
>>>>     # lowercase
>>>>     RewriteUsername tr/A-Z/a-z/
>>>>     AuthByPolicy ContinueUntilAccept
>>>>     AuthBy BY_FILE
>>>>     AuthBy BY_UCSB_LDAP
>>>> </Handler>
>>>> 
>>>> 
>>>> Here is my relevant AUTHBYLDAP2 clause:
>>>> 
>>>> #UCSB LDAP Directory 
>>>> <AuthBy LDAP2>
>>>>             Identifier      BY_UCSB_LDAP
>>>>             include /etc/radiator/ucsbldap.cfg
>>>> </AuthBy LDAP2>
>>>> 
>>>> 
>>>> Here is ucsbldap.cfg:
>>>> 
>>>> 
>>>> Host                    directory.ucsb.edu
>>>> BaseDN                  o=ucsb
>>>> UsernameAttr            uid
>>>> PasswordAttr            userPassword
>>>> ServerChecksPassword
>>>> FailureBackoffTime 10
>>>> 
>>>> 
>>>> # You can enable debugging of the Net::LDAP
>>>> # module with this:
>>>> Debug 255
>>>> 
>>>> UseSSLSSLCAFile /usr/share/ssl/cert.pem
>>>> SSLVerify       require
>>>> 
>>>> 
>>>> 
>>>> Thanks for any assistance!
>>>> 
>>>> --Jennifer
>>>> 
>>>> 
>>>> ==================================
>>>> Jennifer L. Mehl
>>>> Senior Systems Administrator
>>>> University of California, Santa Barbara
>>>> Physics Computing Services
>>>> mailto:jmehl at physics.ucsb.edu
>>>> (805) 893-8366, ext 2 (work)
>>>> ...also rings when working from home
>>>> Skype:ucsb.physics.mehl_j
>>>> (805) 451-7486 (cell)
>>>> ==================================
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>> 
>>> 
>>> 
>>> NB: 
>>> 
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets), 
>>> together with a trace 4 debug showing what is happening?
>>> 
>>> -- 
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> Includes support for reliable RADIUS transport (RadSec),
>>> and DIAMETER translation agent.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>> 
>>> 
>>> 
>>> 
>> 
>> ==================================
>> Jennifer L. Mehl
>> Senior Systems Administrator
>> University of California, Santa Barbara
>> Physics Computing Services
>> mailto:jmehl at physics.ucsb.edu
>> (805) 893-8366, ext 2 (work)
>> ...also rings when working from home
>> Skype:ucsb.physics.mehl_j
>> (805) 451-7486 (cell)
>> ==================================
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 

Raphael Luta
raphael.luta at aptiwan.com





More information about the radiator mailing list