我是radius和LDAP的新手,我正在努力进行组级身份验证。我只希望对ldap组netadmin中的用户进行身份验证(假设正确的凭据)。
在/etc/raddb/users文件中,我已将此行添加到文件顶部:
DEFAULT LDAP-Group == "cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com", Auth-Type := LDAP
在/etc/raddb/sites-enabled/default块的post-auth块底部的# I am not sure if I need the full ldap path to the group object so I try both
if (LDAP-Group == "netadmin") {
noop
}
elsif (LDAP-Group == "cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com") {
noop
}
else {
reject
}
文件中,我添加了:
/etc/mods-enabled/ldap在ldap {
server = 'dc2.redacted.redacted.com'
server = 'dc1.redacted.redacted.com'
base_dn = 'cn=accounts,dc=redacted,dc=redacted,dc=com'
user {
base_dn = "${..base_dn}"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
group {
base_dn = "${..base_dn}"
filter = '(objectClass=ipausergroup)'
membership_attribute = 'memberOf'
scope = 'sub'
}
}
文件中,我仅在这些块中修改了这些行(没有删除任何其他行,没有更改排序):
(0) ldap: Login attempt by "myuser"
(0) ldap: Using user DN from request "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com"
(0) ldap: Waiting for bind result...
(0) ldap: Bind successful
(0) ldap: Bind as user "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" was successful
rlm_ldap (ldap): Released connection (2)
Need 3 more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
rlm_ldap (ldap): Connecting to ldap://dc2.redacted.redacted.com:389 ldap://dc1.redacted.redacted.com:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0) [ldap] = ok
(0) } # Auth-Type LDAP = ok
(0) # Executing section post-auth from file /etc/raddb/sites-enabled/default
(0) post-auth {
(0) update {
(0) No attributes updated
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) if (LDAP-Group == "netadmin") {
(0) Searching for user in group "netadmin"
rlm_ldap (ldap): Reserved connection (3)
(0) Using user DN from request "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com"
(0) Checking user object's memberOf attributes
(0) Performing unfiltered search in "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com", scope "base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
rlm_ldap (ldap): Released connection (3)
(0) User is not a member of "netadmin"
(0) if (LDAP-Group == "netadmin") -> FALSE
有了这个,我在本地运行radtest,使用在编辑之前已经工作的凭据来尝试进行组身份验证。在服务器的radius debug输出中,有几行代表我:
(0) Performing unfiltered search in "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com", scope "base"
(0) Waiting for search result...
(0) No group membership attribute(s) found in user object
特别是这些行:
memberOf使用ldapsearch工具后,我确认我的netadmin组具有ldapsearch -P 3 -x -W -D "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" -b "uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com" \* +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: * +
#
# myuser, users, accounts, redacted.redacted.com
dn: uid=myuser,cn=users,cn=accounts,dc=redacted,dc=redacted,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
...
memberOf: cn=netadmin,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com
...
uid: myuser
objectClass: ipaobject
objectClass: person
objectClass: top
objectClass: ipasshuser
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: krbticketpolicyaux
objectClass: krbprincipalaux
objectClass: inetuser
objectClass: posixaccount
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
属性:
memberOf我希望服务器在搜索我的用户对象并查找tcpdump属性后会看到这一点。
我还进一步调查并使用radtest捕获了数据包并导入wireshark以比较ldapsearch和bindRequest。我注意到会议之间存在一些差异:
1)radtest之前发送的searchRequest的最后一个<ROOT>使用ldapsearch。使用bindRequest,上一个uid=myuser,cn=groups,cn=accounts,dc=redacted,dc=redacted,dc=com使用radius。但我ldapsearch调试日志说它与经过身份验证的用户绑定,所以我在这里感到困惑。
2)当searchRequest使用我的用户memberOf发送DN属性wholeSubtree时,它会使用范围radtest。当base发送相同请求时,它会使用scope = 'sub'范围。当我为user配置中的group和mods-available/ldap块设置memberOf时,这会令人困惑。
那么我错过了什么阻止freeradius看到Cannot read property 'title' of undefined
at Object.View_EditPostComponent_0._co [as updateDirectives] (EditPostComponent.html:11)
at Object.debugUpdateDirectives [as updateDirectives] (core.js:14689)
at checkAndUpdateView (core.js:13836)
at callViewAction (core.js:14187)
at execComponentViewsAction (core.js:14119)
at checkAndUpdateView (core.js:13842)
at callViewAction (core.js:14187)
at execEmbeddedViewsAction (core.js:14145)
at checkAndUpdateView (core.js:13837)
at callViewAction (core.js:14187)
属性数据以验证我的用户是否属于某个组?
答案 0 :(得分:0)
好吧,我比我想象的更近。通过数据包捕获发现有一些奇怪的绑定行为后,我更仔细地查看了调试日志。我意识到与我的用户名的绑定正在发布:
rlm_ldap (ldap): Released connection (2)
此外,组成员身份检查发生的绑定不使用我的用户对象DN(我相信这是一个匿名绑定):
rlm_ldap (ldap): Opening additional connection (7), 1 of 25 pending slots used
rlm_ldap (ldap): Connecting to ldap://<redacted>:389 ldap://<redacted>:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
这有助于我微调我的谷歌搜索,我遇到了some form discussion。
我问我的系统管理员我们是否有任何通用帐户用于此目的,我们做了。
所以我包含在/etc/mods-enabled/ldap的ldap块的顶部:
identity = "cn=special_ro_account,....rest_of_dn..."
password = "xxxxxxxx"
果然,在搜索群组成员身份时,绑定不再是匿名的,而且我已成功通过身份验证。