我是radius和LDAP的新手,我正在努力进行组级认证。我只希望对ldap组netadmin中的用户进行身份验证(假设正确的凭据)。
在/etc/raddb/users文件中,我已将此行添加到文件的顶部:
DEFAULT LDAP-Group == "cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com", Auth-Type := LDAP
在/etc/raddb/sites-enabled/default文件中,在post-auth块的底部,我添加了:
# I am not sure if I need the full ldap path to the group object so I try both
if (LDAP-Group == "netadmin") {
noop
}
elsif (LDAP-Group == "cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com") {
noop
}
else {
reject
}
在/etc/mods-enabled/ldap文件中,我仅在这些块中修改了这些行(没有其他内容被删除,没有更改顺序):
ldap {
server = 'dc2.redacted.redacted.com'
server = 'dc1.redacted.redacted.com'
base_dn = 'cn=accounts,dc=redacted,dc=redacted,dc=com'
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=ipausergroup)'
membership_attribute = 'memberOf'
scope = 'sub'
}
}
有了这个,我在使用凭据进行本地运行radtest之前,我进行了编辑以尝试进行组身份验证。在服务器的radius debug输出中,有几行代表我:
(0) ldap: Login attempt by "myuser"
(0) ldap: Using user DN from request "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" was successful
rlm_ldap (ldap): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
rlm_ldap (ldap): Connecting to ldap://dc2.redacted.redacted.com:389 ldap://dc1.redacted.redacted.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) if (LDAP-Group == "netadmin") {
(0) Searching for user in group "netadmin"
rlm_ldap (ldap): Reserved connection (3)
(0) Using user DN from request "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com"
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com", scope "base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
rlm_ldap (ldap): Released connection (3)
(0) User is not a member of "netadmin"
(0) if (LDAP-Group == "netadmin") -> FALSE
特别是这些线:
(0) Performing unfiltered search in "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com", scope "base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
使用ldapsearch工具后,我验证了memberOf属性的netadmin属性:
ldapsearch -P 3 -x -W -D "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" -b "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" \* +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: * +
#
# myuser, users, accounts, redacted.redacted.com
dn: uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
...
memberOf: cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
...
uid: myuser
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
我希望服务器在搜索我的用户对象并查找memberOf属性后会看到这个。
我还进一步调查并使用tcpdump捕获数据包并导入wireshark以比较radtest和ldapsearch。我注意到与我有关的会话之间存在一些差异:
1)bindRequest在radtest之前发送的最后一个searchRequest,使用<ROOT>。使用ldapsearch,最后一个bindRequest使用uid=myuser,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com。但我radius调试日志说它绑定为经过身份验证的用户,所以我在这里很困惑。
2)当ldapsearch使用我的用户searchRequest发送属性memberOf的DN时,它使用wholeSubtree的范围。当radtest发送相同的请求时,它使用base的范围。这是令人困惑的,因为我在scope = 'sub'配置中为user和group块设置了mods-available/ldap。
那么我错过了什么阻止freeradius看到memberOf属性数据来验证我的用户是否是组的一部分?
好吧,我比我想象的更近。通过数据包捕获发现有一些奇怪的绑定行为后,我更仔细地查看了调试日志。我意识到与我的用户名的绑定正在发布:
rlm_ldap (ldap): Released connection (2)
此外,组成员身份检查发生的绑定不使用我的用户对象DN(我相信这是一个匿名绑定):
rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
rlm_ldap (ldap): Connecting to ldap://<redacted>:389 ldap://<redacted>:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
这帮我调整了我的谷歌搜索,我遇到了some form discussion。
我问我的系统管理员我们是否有这个目的的通用帐户,我们做了。
所以我把它包括在/etc/mods-enabled/ldap的ldap块的顶部:
identity = "cn=special_ro_account,....rest_of_dn..."
password = "xxxxxxxx"
当然,在搜索组成员身份时,绑定不再是匿名的,并且我已成功通过身份验证。