[RADIATOR] LDAP2 authorizing multiple email domains from mail attribute?

Jennifer Mehl jmehl at physics.ucsb.edu
Wed Apr 28 18:45:33 CDT 2010


Thank you, Hugh and Raphael - this worked well for authenticating against LDAP for our VPN service, with simple PAP authentication.

Now I'd like to take this a little bit further.

I'd like to additionally use this for our wireless 802.1x clients (TTLS and PEAP) to authenticate against the flat file or the LDAP if their username doesn't exist in the LDAP.

I've been looking through the goodies directory, and I'm not sure how to best handle this - multiple inner handlers and one outer?  Does anyone else have a similar setup where they could share parts of their config?

thank you,
Jennifer


On Apr 27, 2010, at 1:59 AM, Raphael Luta wrote:

> It would probably be better written like this:
> 
>> SearchFilter (&(%0=%1)(|(mail = *@physics.ucsb.edu)(mail = *@math.ucsb.edu)(mail = *@cs.ucsb.edu)))
> 
> to avoid matching entries like myuser at fakephysics.ucsb.edu (and adding the missing final parenthesis).
> 
> Note that if you have a large LDAP database (hundred of thousands to millions of entries), this query can be 
> used to severely cripple the server performance if the user only enters '*' as his username because the mail
> clauses in the query will not use any index
> 
> An alternate set-up would be:
> 
> Define in your dictionary:
> VENDOR      UCSB        99999
> VENDORATTR  99999       UCSB-Mail                      0       string
> 
> 
> radius.cfg
> <Handler>
>    # strip realm
>    RewriteUsername s/^([^@]+).*/$1/
>    # lowercase
>    RewriteUsername tr/A-Z/a-z/
>    AuthByPolicy ContinueUntilAccept
>    AuthBy BY_FILE
>    <AuthBy GROUP>
>    	AuthByPolicy ContinueWhileAccept
>    	AuthBy BY_UCSB_LDAP
> 	AuthBy CHECK_DOMAINS
>    </AuthBy>
> </Handler>
> 
> <AuthBy LDAP2>
>            Identifier      BY_UCSB_LDAP
>            include /etc/radiator/ucsbldap.cfg
> 
> 	    AuthAttrDef mail,UCSB-Mail,request
> </AuthBy>
> 
> <AuthBy FILE>
> 	Identifier CHECK_DOMAINS
> 	IgnoreAccounting
> 	Filename %D/allowed_groups
> </AuthBy>
> 
> 
> %D/allowed_groups
> DEFAULT 	UCSB-Mail = /@physics\.ucsb\.edu$/
> 		Accept-Type = ACCEPT
> 
> DEFAULT 	UCSB-Mail = /@math\.ucsb\.edu$/
> 		Accept-Type = ACCEPT
> 
> DEFAULT 	UCSB-Mail = /@xxxx\.ucsb\.edu$/
> 		Accept-Type = ACCEPT
> 
> DEFAULT 	
> 		Accept-Type = REJECT
> 
> The setup is more complex but will also give you the flexibility to set group based radius reply attributes (Session-Timeout for example) if you need them in the allowed_groups file.
> 
> -- raphael
> 
> Le 27 avr. 2010 à 03:34, Hugh Irvine a écrit :
> 
>> 
>> Hello Jennifer -
>> 
>> You will need to do some tests and check your LDAP reference material (see for example http://www.rfc-editor.org/rfc/rfc2254.txt), but something like this should work:
>> 
>> 
>> 
>> 	SearchFilter (&(%0=%1)(|(mail = *physics.ucsb.edu)(mail = *math.ucsb.edu)(mail = *cs.ucsb.edu))
>> 
>> 
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 27 Apr 2010, at 09:55, Jennifer Mehl wrote:
>> 
>>> Here is my debug log:
>>> 
>>> Mon Apr 26 16:51:07 2010: DEBUG: Handling with Radius::AuthLDAP2: BY_UCSB_LDAP
>>> Mon Apr 26 16:51:07 2010: INFO: Attempting to bind to LDAP server directory.ucsb.edu:636
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got result for ucsbcampusid=a313b430-03be-11d8-8ba0-0003472a8354, o=UCSB
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbaffiliation: employee
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbcampusid: a313b430-03be-11d8-8ba0-0003472a8354
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got givenName: Jennifer
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got sn: Mehl
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got objectClass: top person ucsbperson ctcaluser
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got uid: jennifer_mehl
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got cn: Jennifer L Mehl
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbcufn: Jennifer
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got displayName: Mehl, Jennifer
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got mail: jmehl at physics.ucsb.edu
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbdepartment: Physics
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got title: Sr. Systems Administrator
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got ucsbemailbusiness1: jmehl at physics.ucsb.edu
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got telephoneNumber: 805-893-8366
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got registeredAddress: 9530
>>> Mon Apr 26 16:51:07 2010: DEBUG: LDAP got initials: L
>>> Mon Apr 26 16:51:07 2010: DEBUG: Radius::AuthLDAP2 looks for match with jennifer_mehl [jennifer_mehl]
>>> Mon Apr 26 16:51:07 2010: DEBUG: Radius::AuthLDAP2 ACCEPT: : jennifer_mehl [jennifer_mehl]
>>> Mon Apr 26 16:51:07 2010: DEBUG: AuthBy LDAP2 result: ACCEPT, 
>>> 
>>> 
>>> I'd like to be able to filter on the mail attribute containing 'physics.ucsb.edu' or a few other individual .ucsb.edu subdomains.
>>> 
>>> thanks,
>>> Jennifer
>>> 
>>> 
>>> On Apr 26, 2010, at 4:11 PM, Hugh Irvine wrote:
>>> 
>>>> 
>>>> Hello Jennifer -
>>>> 
>>>> If you add "Debug 255" to your AuthBy LDAP2 clause, then run radiusd from the command line, we will be able to see everything that comes back from the LDAP query.
>>>> 
>>>> You should do this in the lab, and once we see what we are dealing with we can decide how best to proceed.
>>>> 
>>>> In general, you just need to use a SearchFilter to define a suitable query, rather than AuthAttrDef which operates on the contents of the incoming request.
>>>> 
>>>> See section 5.36.15 in the Radiator 4.6 reference manual ("doc/ref.pdf").
>>>> 
>>>> 
>>>> 5.36.15 SearchFilter
>>>> 
>>>> Normally, the search filter that is used to find a matching user name is
>>>> 
>>>> (uid=name)
>>>> 
>>>> where uid is the name of the LDAP attribute defined by the UsernameAttr parameter, and name is the name of the user currently being authenticated. For advanced applications, you can completely alter the search filter that Radiator will use by using the optional SearchFilter parameter. It allows you to use arbitrarily complicated LDAP search filters to select or exclude users based on attributes other than their user name. Special formatting characters are permitted, and %0 is replaced by UsernameAttr and %1 by the user name. For example, this SearchFilter will only match users with the appropriate setting of their ‘current’ attribute:
>>>> 
>>>> SearchFilter (&(current=1)(uid=%1))
>>>> 
>>>> In SearchFilter, you an use any special formatting character. For backwards compatibility, perl variables used to be interpolated, but this has been removed. The default setting for SearchFilter is ‘(%0=%1)’, which will match the user name against the LDAP attribute defined by the UsernameAttr parameter (usually ‘uid’). Therefore the default search string is (uid=name).
>>>> 
>>>> 
>>>> regards
>>>> 
>>>> Hugh
>>>> 
>>>> 
>>>> On 27 Apr 2010, at 08:39, Jennifer Mehl wrote:
>>>> 
>>>>> Hi there,
>>>>> 
>>>>> I'm using the AUTHBYLDAP2 to do simple authentication to our campus LDAP directory for VPN services.  It is working fine so far.
>>>>> 
>>>>> I'd like to further limit access to this VPN service to authenticated users with particular email domains in their mail LDAP attribute.  There are to be 4 different "allowed" email domains.
>>>>> 
>>>>> How do I best do this?  I believe I need to use AuthAttrDef and look for the mail LDAP attribute, but not sure exactly how to accept the authentication if the correct email domain exists, and deny if the attribute is empty or contains any other domain.
>>>>> 
>>>>> I'm using RADIATOR 4.0 on Linux.
>>>>> 
>>>>> 
>>>>> Here is the relevant part of radius.cfg:
>>>>> 
>>>>> <Handler>
>>>>>    # strip realm
>>>>>    RewriteUsername s/^([^@]+).*/$1/
>>>>>    # lowercase
>>>>>    RewriteUsername tr/A-Z/a-z/
>>>>>    AuthByPolicy ContinueUntilAccept
>>>>>    AuthBy BY_FILE
>>>>>    AuthBy BY_UCSB_LDAP
>>>>> </Handler>
>>>>> 
>>>>> 
>>>>> Here is my relevant AUTHBYLDAP2 clause:
>>>>> 
>>>>> #UCSB LDAP Directory 
>>>>> <AuthBy LDAP2>
>>>>>            Identifier      BY_UCSB_LDAP
>>>>>            include /etc/radiator/ucsbldap.cfg
>>>>> </AuthBy LDAP2>
>>>>> 
>>>>> 
>>>>> Here is ucsbldap.cfg:
>>>>> 
>>>>> 
>>>>> Host                    directory.ucsb.edu
>>>>> BaseDN                  o=ucsb
>>>>> UsernameAttr            uid
>>>>> PasswordAttr            userPassword
>>>>> ServerChecksPassword
>>>>> FailureBackoffTime 10
>>>>> 
>>>>> 
>>>>> # You can enable debugging of the Net::LDAP
>>>>> # module with this:
>>>>> Debug 255
>>>>> 
>>>>> UseSSLSSLCAFile /usr/share/ssl/cert.pem
>>>>> SSLVerify       require
>>>>> 
>>>>> 
>>>>> 
>>>>> Thanks for any assistance!
>>>>> 
>>>>> --Jennifer
>>>>> 
>>>>> 
>>>>> ==================================
>>>>> Jennifer L. Mehl
>>>>> Senior Systems Administrator
>>>>> University of California, Santa Barbara
>>>>> Physics Computing Services
>>>>> mailto:jmehl at physics.ucsb.edu
>>>>> (805) 893-8366, ext 2 (work)
>>>>> ...also rings when working from home
>>>>> Skype:ucsb.physics.mehl_j
>>>>> (805) 451-7486 (cell)
>>>>> ==================================
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> radiator mailing list
>>>>> radiator at open.com.au
>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>> 
>>>> 
>>>> 
>>>> NB: 
>>>> 
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets), 
>>>> together with a trace 4 debug showing what is happening?
>>>> 
>>>> -- 
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> Includes support for reliable RADIUS transport (RadSec),
>>>> and DIAMETER translation agent.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> ==================================
>>> Jennifer L. Mehl
>>> Senior Systems Administrator
>>> University of California, Santa Barbara
>>> Physics Computing Services
>>> mailto:jmehl at physics.ucsb.edu
>>> (805) 893-8366, ext 2 (work)
>>> ...also rings when working from home
>>> Skype:ucsb.physics.mehl_j
>>> (805) 451-7486 (cell)
>>> ==================================
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> NB: 
>> 
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets), 
>> together with a trace 4 debug showing what is happening?
>> 
>> -- 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>> 
>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>> 
> 
> Raphael Luta
> raphael.luta at aptiwan.com
> 
> 
> 
> 

==================================
Jennifer L. Mehl
Senior Systems Administrator
University of California, Santa Barbara
Physics Computing Services
mailto:jmehl at physics.ucsb.edu
(805) 893-8366, ext 2 (work)
...also rings when working from home
Skype:ucsb.physics.mehl_j
(805) 451-7486 (cell)
==================================












More information about the radiator mailing list