FreeRadius / OpenLDAP Authorisation - Group membership checking


#1

Hi,

I’m currently using the 10-day trial version of UCS on AWS with a view to purchasing for use as our in-house identity management system.

Before I can purchase, I need to confirm that our Routers can use the UCS Radius functionality for Authentication and Authorisation. We’ve got the Authentication working so far but we’ve been unable to get Authorisation working yet.

Our different levels of network access will be dependent on Group membership so we need the Radius check to correctly identify if a user is a member of a certain group, and then send that group-id to the Router.

We would specify this in the /etc/freeradius/users file using something like this:

DEFAULT Ldap-Group == "UCS_Group_Name"
        Reply-Message = "PPTP VPN User Authorized",
        Router-Group-Name = "Router_Group_Name"

DEFAULT Auth-Type := Reject
        Reply-Message = "User Not Authorized"

This is currently not working with the default config for group membership checking which is set in /etc/freeradius/modules/ldap:

Group membership checking. Disabled by default.

        groupname_attribute = cn
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
        groupmembership_attribute = radiusGroupName

I believe the issue is the groupmembership_filter but I am unsure of how to set it to ensure that it will correctly identify the groups.

I have noticed that memberOf is not listed by default when you do univention-ldapsearch uid=Test_user so I have upgraded to version 4.3 and followed steps listed in memberOf attribute: Group memberships of user and computer objects which now allows for univention-ldapsearch uid=Test_user memberOf but I am still unsure of how to implement this as a valid groupmembership_filter which will work.

Is there any way we can get assistance with this or can anyone provide links to any comprehensive documentation which would cover this? I understand that support is only available to corporate customers but we really need to confirm this functionality can work before we commit to UCS as a solution.


#2

Hey,

I cannot really answer your question, but I do have two comments.

First, memberOf. Filtering by memberOf does work even without requesting it as a result attribute. Compare the output of the following two commands:

univention-ldapsearch -LLLo ldif-wrap=no "(memberOf=cn=Domain Admins,cn=groups,$(ucr get ldap/base))" dn memberOf
univention-ldapsearch -LLLo ldif-wrap=no "(memberOf=cn=Domain Admins,cn=groups,$(ucr get ldap/base))" dn

The same set of objects will be returned.

Second, file location. In UCS 4.3 FreeRadius 3.0 is used, and the location of the configuration files has changed. All relevant files are now located in and beneath /etc/freeradius/3.0.

Kind regards,
mosu