[RADIATOR] LDAP2 authorizing multiple email domains from mail attribute?

Jennifer Mehl jmehl at physics.ucsb.edu
Tue Apr 27 08:15:09 CDT 2010 

Thank you Hugh and Raphael for your advice.  I will give these a try  
and let you know how it goes.

--Jennifer


On Apr 27, 2010, at 1:59 AM, Raphael Luta wrote:

> It would probably be better written like this:
>
>> SearchFilter (&(%0=%1)(|(mail = *@physics.ucsb.edu)(mail = *@math.ucsb.edu 
>> )(mail = *@cs.ucsb.edu)))
>
> to avoid matching entries like myuser at fakephysics.ucsb.edu (and  
> adding the missing final parenthesis).
>
> Note that if you have a large LDAP database (hundred of thousands to  
> millions of entries), this query can be
> used to severely cripple the server performance if the user only  
> enters '*' as his username because the mail
> clauses in the query will not use any index
>
> An alternate set-up would be:
>
> Define in your dictionary:
> VENDOR      UCSB        99999
> VENDORATTR  99999       UCSB-Mail                      0       string
>
>
> radius.cfg
> <Handler>
>    # strip realm
>    RewriteUsername s/^([^@]+).*/$1/
>    # lowercase
>    RewriteUsername tr/A-Z/a-z/
>    AuthByPolicy ContinueUntilAccept
>    AuthBy BY_FILE
>    <AuthBy GROUP>
>    	AuthByPolicy ContinueWhileAccept
>    	AuthBy BY_UCSB_LDAP
> 	AuthBy CHECK_DOMAINS
>    </AuthBy>
> </Handler>
>
> <AuthBy LDAP2>
>            Identifier      BY_UCSB_LDAP
>            include /etc/radiator/ucsbldap.cfg
>
> 	    AuthAttrDef mail,UCSB-Mail,request
> </AuthBy>
>
> <AuthBy FILE>
> 	Identifier CHECK_DOMAINS
> 	IgnoreAccounting
> 	Filename %D/allowed_groups
> </AuthBy>
>
>
> %D/allowed_groups
> DEFAULT 	UCSB-Mail = /@physics\.ucsb\.edu$/
> 		Accept-Type = ACCEPT
>
> DEFAULT 	UCSB-Mail = /@math\.ucsb\.edu$/
> 		Accept-Type = ACCEPT
>
> DEFAULT 	UCSB-Mail = /@xxxx\.ucsb\.edu$/
> 		Accept-Type = ACCEPT
>
> DEFAULT 	
> 		Accept-Type = REJECT
>
> The setup is more complex but will also give you the flexibility to  
> set group based radius reply attributes (Session-Timeout for  
> example) if you need them in the allowed_groups file.
>
> -- raphael
>
> Le 27 avr. 2010 à 03:34, Hugh Irvine a écrit :
>
>>
>> Hello Jennifer -
>>
>> You will need to do some tests and check your LDAP reference  
>> material (see for example http://www.rfc-editor.org/rfc/ 
>> rfc2254.txt), but something like this should work:
>>
>>
>>
>> 	SearchFilter (&(%0=%1)(|(mail = *physics.ucsb.edu)(mail =  
>> *math.ucsb.edu)(mail = *cs.ucsb.edu))
>>
>>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 27 Apr 2010, at 09:55, Jennifer Mehl wrote:
>>
>>> Here is my debug log:
>>>
>>> Mon Apr 26 16:51:07 2010: DEBUG: Handling with Radius::AuthLDAP2:  
>>> BY_UCSB_LDAP
>>> Mon Apr 26 16:51:07 2010: INFO: Attempting to bind to LDAP server  
>>> directory.ucsb.edu:636
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got result for  
>>> ucsbcampusid=a313b430-03be-11d8-8ba0-0003472a8354, o=UCSB
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbaffiliation: employee
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbcampusid:  
>>> a313b430-03be-11d8-8ba0-0003472a8354
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got givenName: Jennifer
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got sn: Mehl
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got objectClass: top person  
>>> ucsbperson ctcaluser
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got uid: jennifer_mehl
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got cn: Jennifer L Mehl
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbcufn: Jennifer
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got displayName: Mehl,  
>>> Jennifer
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got mail: jmehl at physics.ucsb.edu
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbdepartment: Physics
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got title: Sr. Systems  
>>> Administrator
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbemailbusiness1: jmehl at physics.ucsb.edu
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got telephoneNumber:  
>>> 805-893-8366
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got registeredAddress: 9530
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got initials: L
>>> Mon Apr 26 16:51:07 2010: DEBUG: Radius::AuthLDAP2 looks for match  
>>> with jennifer_mehl [jennifer_mehl]
>>> Mon Apr 26 16:51:07 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: :  
>>> jennifer_mehl [jennifer_mehl]
>>> Mon Apr 26 16:51:07 2010: DEBUG: AuthBy LDAP2 result: ACCEPT,
>>>
>>>
>>> I'd like to be able to filter on the mail attribute containing  
>>> 'physics.ucsb.edu' or a few other individual .ucsb.edu subdomains.
>>>
>>> thanks,
>>> Jennifer
>>>
>>>
>>> On Apr 26, 2010, at 4:11 PM, Hugh Irvine wrote:
>>>
>>>>
>>>> Hello Jennifer -
>>>>
>>>> If you add "Debug 255" to your AuthBy LDAP2 clause, then run  
>>>> radiusd from the command line, we will be able to see everything  
>>>> that comes back from the LDAP query.
>>>>
>>>> You should do this in the lab, and once we see what we are  
>>>> dealing with we can decide how best to proceed.
>>>>
>>>> In general, you just need to use a SearchFilter to define a  
>>>> suitable query, rather than AuthAttrDef which operates on the  
>>>> contents of the incoming request.
>>>>
>>>> See section 5.36.15 in the Radiator 4.6 reference manual ("doc/ 
>>>> ref.pdf").
>>>>
>>>>
>>>> 5.36.15 SearchFilter
>>>>
>>>> Normally, the search filter that is used to find a matching user  
>>>> name is
>>>>
>>>> (uid=name)
>>>>
>>>> where uid is the name of the LDAP attribute defined by the  
>>>> UsernameAttr parameter, and name is the name of the user  
>>>> currently being authenticated. For advanced applications, you can  
>>>> completely alter the search filter that Radiator will use by  
>>>> using the optional SearchFilter parameter. It allows you to use  
>>>> arbitrarily complicated LDAP search filters to select or exclude  
>>>> users based on attributes other than their user name. Special  
>>>> formatting characters are permitted, and %0 is replaced by  
>>>> UsernameAttr and %1 by the user name. For example, this  
>>>> SearchFilter will only match users with the appropriate setting  
>>>> of their ‘current’ attribute:
>>>>
>>>> SearchFilter (&(current=1)(uid=%1))
>>>>
>>>> In SearchFilter, you an use any special formatting character. For  
>>>> backwards compatibility, perl variables used to be interpolated,  
>>>> but this has been removed. The default setting for SearchFilter  
>>>> is ‘(%0=%1)’, which will match the user name against the LDAP  
>>>> attribute defined by the UsernameAttr parameter (usually ‘uid’).  
>>>> Therefore the default search string is (uid=name).
>>>>
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 27 Apr 2010, at 08:39, Jennifer Mehl wrote:
>>>>
>>>>> Hi there,
>>>>>
>>>>> I'm using the AUTHBYLDAP2 to do simple authentication to our  
>>>>> campus LDAP directory for VPN services.  It is working fine so  
>>>>> far.
>>>>>
>>>>> I'd like to further limit access to this VPN service to  
>>>>> authenticated users with particular email domains in their mail  
>>>>> LDAP attribute.  There are to be 4 different "allowed" email  
>>>>> domains.
>>>>>
>>>>> How do I best do this?  I believe I need to use AuthAttrDef and  
>>>>> look for the mail LDAP attribute, but not sure exactly how to  
>>>>> accept the authentication if the correct email domain exists,  
>>>>> and deny if the attribute is empty or contains any other domain.
>>>>>
>>>>> I'm using RADIATOR 4.0 on Linux.
>>>>>
>>>>>
>>>>> Here is the relevant part of radius.cfg:
>>>>>
>>>>> <Handler>
>>>>>    # strip realm
>>>>>    RewriteUsername s/^([^@]+).*/$1/
>>>>>    # lowercase
>>>>>    RewriteUsername tr/A-Z/a-z/
>>>>>    AuthByPolicy ContinueUntilAccept
>>>>>    AuthBy BY_FILE
>>>>>    AuthBy BY_UCSB_LDAP
>>>>> </Handler>
>>>>>
>>>>>
>>>>> Here is my relevant AUTHBYLDAP2 clause:
>>>>>
>>>>> #UCSB LDAP Directory
>>>>> <AuthBy LDAP2>
>>>>>            Identifier      BY_UCSB_LDAP
>>>>>            include /etc/radiator/ucsbldap.cfg
>>>>> </AuthBy LDAP2>
>>>>>
>>>>>
>>>>> Here is ucsbldap.cfg:
>>>>>
>>>>>
>>>>> Host                    directory.ucsb.edu
>>>>> BaseDN                  o=ucsb
>>>>> UsernameAttr            uid
>>>>> PasswordAttr            userPassword
>>>>> ServerChecksPassword
>>>>> FailureBackoffTime 10
>>>>>
>>>>>
>>>>> # You can enable debugging of the Net::LDAP
>>>>> # module with this:
>>>>> Debug 255
>>>>>
>>>>> UseSSLSSLCAFile /usr/share/ssl/cert.pem
>>>>> SSLVerify       require
>>>>>
>>>>>
>>>>>
>>>>> Thanks for any assistance!
>>>>>
>>>>> --Jennifer
>>>>>
>>>>>
>>>>> ==================================
>>>>> Jennifer L. Mehl
>>>>> Senior Systems Administrator
>>>>> University of California, Santa Barbara
>>>>> Physics Computing Services
>>>>> mailto:jmehl at physics.ucsb.edu
>>>>> (805) 893-8366, ext 2 (work)
>>>>> ...also rings when working from home
>>>>> Skype:ucsb.physics.mehl_j
>>>>> (805) 451-7486 (cell)
>>>>> ==================================
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>
>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> -- 
>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>> server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical,  
>>>> extensible,
>>>> flexible with hardware, software, platform and database  
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like  
>>>> systems.
>>>>
>>>>
>>>>
>>>>
>>>
>>> ==================================
>>> Jennifer L. Mehl
>>> Senior Systems Administrator
>>> University of California, Santa Barbara
>>> Physics Computing Services
>>> mailto:jmehl at physics.ucsb.edu
>>> (805) 893-8366, ext 2 (work)
>>> ...also rings when working from home
>>> Skype:ucsb.physics.mehl_j
>>> (805) 451-7486 (cell)
>>> ==================================
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>
> Raphael Luta
> raphael.luta at aptiwan.com
>
>
>
>

More information about the radiator mailing list