使用 FreeRadius 进行组级身份验证 - LDAP - FreeIPA
Group level authentication with FreeRadius - LDAP - FreeIPA
我是 radius 和 LDAP 的新手,正在为组级身份验证而苦苦挣扎。我只想对 ldap 组 netadmin
中的用户进行身份验证(假设凭据正确)。
在 /etc/raddb/users
文件中,我将这一行添加到文件的顶部:
DEFAULT LDAP-Group == "cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com", Auth-Type := LDAP
在 /etc/raddb/sites-enabled/default
文件中,在 post-auth
块的底部,我添加了:
# I am not sure if I need the full ldap path to the group object so I try both
if (LDAP-Group == "netadmin") {
noop
}
elsif (LDAP-Group == "cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com") {
noop
}
else {
reject
}
在 /etc/mods-enabled/ldap
文件中,我仅在这些块中修改了这些行(没有删除任何其他内容,也没有更改顺序):
ldap {
server = 'dc2.redacted.redacted.com'
server = 'dc1.redacted.redacted.com'
base_dn = 'cn=accounts,dc=redacted,dc=redacted,dc=com'
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=ipausergroup)'
membership_attribute = 'memberOf'
scope = 'sub'
}
}
有了这个,我 运行 使用在我进行编辑之前有效的凭据在本地进行 radtest,以尝试进行组身份验证。在服务器的 radius 调试输出中,有几行让我印象深刻:
(0) ldap: Login attempt by "myuser"
(0) ldap: Using user DN from request "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" was successful
rlm_ldap (ldap): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
rlm_ldap (ldap): Connecting to ldap://dc2.redacted.redacted.com:389 ldap://dc1.redacted.redacted.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) if (LDAP-Group == "netadmin") {
(0) Searching for user in group "netadmin"
rlm_ldap (ldap): Reserved connection (3)
(0) Using user DN from request "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com"
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com", scope "base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
rlm_ldap (ldap): Released connection (3)
(0) User is not a member of "netadmin"
(0) if (LDAP-Group == "netadmin") -> FALSE
特别是这些行:
(0) Performing unfiltered search in "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com", scope "base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
使用 ldapsearch 工具后,我验证了 netadmin
组具有 memberOf
属性:
ldapsearch -P 3 -x -W -D "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" -b "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" \* +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: * +
#
# myuser, users, accounts, redacted.redacted.com
dn: uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
...
memberOf: cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
...
uid: myuser
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
我预计服务器会在搜索我的用户对象并查找 memberOf
属性后看到它。
我还进一步调查并使用 tcpdump
捕获数据包并导入 wireshark 以比较 radtest
和 ldapsearch
。我注意到我印象深刻的会话之间的一些差异:
1) radtest
在 searchRequest
之前发送的最后一个 bindRequest
使用 <ROOT>
。使用 ldapsearch
,最后的 bindRequest
使用 uid=myuser,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
。但是我 radius
调试日志说它绑定为经过身份验证的用户,所以我在这里很困惑。
2) 当 ldapsearch
使用我的用户 DN
为属性 memberOf
发送 searchRequest
时,它使用 wholeSubtree
的范围。当radtest
发送相同的请求时,它使用base
的范围。这令人困惑,因为我在 mods-available/ldap
配置中为 user
和 group
块设置了 scope = 'sub'
。
那么我错过了什么阻止 freeradius 查看 memberOf
属性数据来验证我的用户是组的一部分?
好吧,我比我想象的要近。通过抓包发现有一些奇怪的绑定行为后,我更仔细地查看了调试日志。我意识到与我的用户名的绑定正在被释放:
rlm_ldap (ldap): Released connection (2)
此外,为组成员资格检查而发生的绑定不使用我的用户对象 DN(我相信这是一个匿名绑定):
rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
rlm_ldap (ldap): Connecting to ldap://<redacted>:389 ldap://<redacted>:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
这帮助我微调了我的谷歌搜索,我遇到了 some form discussion。
我问我的系统管理员我们是否有任何通用帐户用于此目的,我们有。
所以我在 /etc/mods-enabled/ldap
的 ldap 块的顶部包含:
identity = "cn=special_ro_account,....rest_of_dn..."
password = "xxxxxxxx"
果然,在搜索组成员身份时绑定不再是匿名的,我已成功通过身份验证。
我是 radius 和 LDAP 的新手,正在为组级身份验证而苦苦挣扎。我只想对 ldap 组 netadmin
中的用户进行身份验证(假设凭据正确)。
在 /etc/raddb/users
文件中,我将这一行添加到文件的顶部:
DEFAULT LDAP-Group == "cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com", Auth-Type := LDAP
在 /etc/raddb/sites-enabled/default
文件中,在 post-auth
块的底部,我添加了:
# I am not sure if I need the full ldap path to the group object so I try both
if (LDAP-Group == "netadmin") {
noop
}
elsif (LDAP-Group == "cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com") {
noop
}
else {
reject
}
在 /etc/mods-enabled/ldap
文件中,我仅在这些块中修改了这些行(没有删除任何其他内容,也没有更改顺序):
ldap {
server = 'dc2.redacted.redacted.com'
server = 'dc1.redacted.redacted.com'
base_dn = 'cn=accounts,dc=redacted,dc=redacted,dc=com'
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=ipausergroup)'
membership_attribute = 'memberOf'
scope = 'sub'
}
}
有了这个,我 运行 使用在我进行编辑之前有效的凭据在本地进行 radtest,以尝试进行组身份验证。在服务器的 radius 调试输出中,有几行让我印象深刻:
(0) ldap: Login attempt by "myuser"
(0) ldap: Using user DN from request "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" was successful
rlm_ldap (ldap): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
rlm_ldap (ldap): Connecting to ldap://dc2.redacted.redacted.com:389 ldap://dc1.redacted.redacted.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) if (LDAP-Group == "netadmin") {
(0) Searching for user in group "netadmin"
rlm_ldap (ldap): Reserved connection (3)
(0) Using user DN from request "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com"
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com", scope "base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
rlm_ldap (ldap): Released connection (3)
(0) User is not a member of "netadmin"
(0) if (LDAP-Group == "netadmin") -> FALSE
特别是这些行:
(0) Performing unfiltered search in "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com", scope "base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
使用 ldapsearch 工具后,我验证了 netadmin
组具有 memberOf
属性:
ldapsearch -P 3 -x -W -D "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" -b "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" \* +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: * +
#
# myuser, users, accounts, redacted.redacted.com
dn: uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
...
memberOf: cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
...
uid: myuser
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
我预计服务器会在搜索我的用户对象并查找 memberOf
属性后看到它。
我还进一步调查并使用 tcpdump
捕获数据包并导入 wireshark 以比较 radtest
和 ldapsearch
。我注意到我印象深刻的会话之间的一些差异:
1) radtest
在 searchRequest
之前发送的最后一个 bindRequest
使用 <ROOT>
。使用 ldapsearch
,最后的 bindRequest
使用 uid=myuser,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
。但是我 radius
调试日志说它绑定为经过身份验证的用户,所以我在这里很困惑。
2) 当 ldapsearch
使用我的用户 DN
为属性 memberOf
发送 searchRequest
时,它使用 wholeSubtree
的范围。当radtest
发送相同的请求时,它使用base
的范围。这令人困惑,因为我在 mods-available/ldap
配置中为 user
和 group
块设置了 scope = 'sub'
。
那么我错过了什么阻止 freeradius 查看 memberOf
属性数据来验证我的用户是组的一部分?
好吧,我比我想象的要近。通过抓包发现有一些奇怪的绑定行为后,我更仔细地查看了调试日志。我意识到与我的用户名的绑定正在被释放:
rlm_ldap (ldap): Released connection (2)
此外,为组成员资格检查而发生的绑定不使用我的用户对象 DN(我相信这是一个匿名绑定):
rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
rlm_ldap (ldap): Connecting to ldap://<redacted>:389 ldap://<redacted>:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
这帮助我微调了我的谷歌搜索,我遇到了 some form discussion。
我问我的系统管理员我们是否有任何通用帐户用于此目的,我们有。
所以我在 /etc/mods-enabled/ldap
的 ldap 块的顶部包含:
identity = "cn=special_ro_account,....rest_of_dn..."
password = "xxxxxxxx"
果然,在搜索组成员身份时绑定不再是匿名的,我已成功通过身份验证。