From: Robert Lowe (Robert.H.Lowe@lawrence.edu)
Date: Fri Feb 06 2004 - 16:11:14 CST
Lukasz Karapuda wrote:
Hi Lukasz!
> Thanks for your response.
>
> Still trying to resolve the issue described below. Hence below I am
> supplying the LDIF's that might help you out to answer my questions.
Essentially, you trying to use group membership as a means of limiting
who can register. This would take quite a different approach than the
present LDAP auth method. Let me explain what happens now:
1. You configure a search base and the authentication attribute
(to keep it simple)
2. Someone enters a username/password on the registration screen
3. If LDAP_USE_ADS is set, nothing in #1 matters; authentication
happens using username@DOMAIN against one of your ADS servers.
4. If LDAP_USE_ADS is not set:
a. A search filter is created "($LDAP_AUTH_ATTR=$user)", e.g.
(samAccountName=lkarap00)
b. A subtree search, starting at $LDAP_BASE, returns all entries
matching that filter.
c. The dn of the first entry is extracted, e.g.:
dn: CN=Lukasz Karapuda,OU=students,DC=mercyhurst,DC=local
d. We authenticated using that dn and the supplied password.
How is your scenario different? First, it would require something
very different:
1. Look for a dn where samAccountName matches the supplied username.
Perhaps we start somewhere near the top of your DIT, e.g.
DC=mercyhurst,DC=local (may not be efficient)
2. Then look to see if there is a memberOf attribute matching the
dn of your special group.
Make sense? You can't start where you wanted, because there is nothing
there to match the samAccountName.
So why are you wanting to use group membership to restrict registration?
I can imagine using the converse, where membership in a certain group
precludes registration. You can easily limit registration to students
by using $LDAP_BASE set to OU=students,DC=mercyhurst,DC=local. Or are
you trying to do something much different? If you can convince me that
it's useful enough to include in the CIDR kit version, I'll take a crack
at writing the code for it (you'll have to test it), but I guess I'd like
to know that it's going to be useful for more than just you. :-)
Otherwise, to make it work as it is... see below.
> This is the LDIF for my LDAP base:
>
> ------------------------------------------
> version: 1
>
> # LDIF Export for: CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local
> # Generated by phpLDAPadmin on February 6, 2004 1:08 pm
> # Server: SUMMIT Active Directory (summit.mercyhurst.edu)
> # Search Scope: base
> # Total entries: 1
>
> # Entry 1: CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local
> dn: CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local
> member: CN=Lukasz Karapuda,OU=students,DC=mercyhurst,DC=local
> *****removed other members**********
> cn: NetReg
> description: netreg users group
> groupType: -2147483646
> instanceType: 4
> distinguishedName: CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local
> objectCategory:
> CN=Group,CN=Schema,CN=Configuration,DC=mercyhurst,DC=local
> objectClass: top
> objectClass: group
> objectGUID:: ODUZ9JY6q0+P4WKB+GyHUw==
> objectSid:: AQU=
> name: NetReg
> sAMAccountName: NetReg
> sAMAccountType: 268435456
> uSNChanged: 2313272
> uSNCreated: 1464550
> whenChanged: 20040130201305.0Z
> whenCreated: 20031208213741.0Z
> ------------------------------------------
>
> This is the LDIF for a user entry:
>
> ------------------------------------------
> version: 1
>
> # LDIF Export for: CN=Lukasz Karapuda,OU=students,DC=mercyhurst,DC=local
> # Generated by phpLDAPadmin on February 6, 2004 1:13 pm
> # Server: SUMMIT Active Directory (summit.mercyhurst.edu)
> # Search Scope: base
> # Total entries: 1
>
> # Entry 1: CN=Lukasz Karapuda,OU=students,DC=mercyhurst,DC=local
> dn: CN=Lukasz Karapuda,OU=students,DC=mercyhurst,DC=local
> memberOf: CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local
> memberOf: CN=ComputerCenter,CN=Users,DC=mercyhurst,DC=local
> memberOf: CN=Administrators (WWW),CN=Users,DC=mercyhurst,DC=local
> memberOf: CN=Administrators,CN=Builtin,DC=mercyhurst,DC=local
> accountExpires: 9223372036854775807
> streetAddress:
> homePostalAddress:
> adminCount: 1
> badPasswordTime: 127205493258281250
> badPwdCount: 1
> codePage: 0
> cn: Lukasz Karapuda
> countryCode: 0
> description: Undergrad Student
> displayName: Lukasz Karapuda
> mail: lkarap00@mercyhurst.edu
> givenName: Lukasz
> homeDirectory: \\summit\lkarap00
> homeDrive: H:
> instanceType: 4
> lastLogon: 127204709851681250
> logonCount: 234
> distinguishedName: CN=Lukasz Karapuda,OU=students,DC=mercyhurst,DC=local
> objectCategory:
> CN=Person,CN=Schema,CN=Configuration,DC=mercyhurst,DC=local
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectGUID:: q3rjPt+W/EKprHjfnFD+0g==
> objectSid:: AQU=
> homePhone:
> primaryGroupID: 513
> pwdLastSet: 126665794488906250
> name: Lukasz Karapuda
> sAMAccountName: lkarap00
> sAMAccountType: 805306368
> scriptPath: login.bat
> sn: Karapuda
> userAccountControl: 512
> userPrincipalName: lkarap00@mercyhurst.local
> uSNChanged: 9993
> uSNCreated: 9993
> whenChanged: 20030629150040.0Z
> whenCreated: 20020522221728.0Z
> ------------------------------------------
>
> This is my current variables.pl file (only relevant sections):
>
> ------------------------------------------
> $AUTH_METHOD = "LDAP";
> if ($AUTH_METHOD eq "POP") { use Mail::POP3Client; }
> elsif ($AUTH_METHOD eq "FTP") { use Net::FTP; }
> elsif ($AUTH_METHOD eq "IMAP") { use Net::IMAP::Simple; }
> elsif ($AUTH_METHOD eq "LDAP") { use Net::LDAP; }
>
> @LDAP_SERVERS = ("summit.mercyhurst.edu");
>
> $LDAP_TIMEOUT = 5;
>
> $LDAP_BASE = "CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local";
Change this to:
OU=students,DC=mercyhurst,DC=local
*************
This group of variables is not used with ADS, but if you *weren't* using
ADS...
> $LDAP_AUTH_ATTR = "samaccountname";
This would likely change if you weren't using ADS, but alright...
> $LDAP_BIND_ANON = 1;
This says that you need credentials to bind to your LDAP directory to
lookup the inforamtion you're after, i.e. it's not for public view.
If you set this, then...
> $LDAP_BIND_CREDENTIALS = "";
This really needs to have those credentials. The previous one
should be turned off otherwise.
**************
The group is for passthru authentication, i.e. you send your authentication
request to one LDAP server, and it passes it through to another. Not used
when using ADS authentication.
> $LDAP_USES_PASSTHRU_AUTH = 1;
Turn this off if you don't need it, and you don't.
> @LDAP_DIT_MAP = ( [ "ou=Public,", "" ],
> [ "ou=Private,", "" ]
> );
This is the map disparate DITs, e.g. the server you're asking to authenticate
your request, and the one that ultimately receives the request to verify the
credentials.
**************
Stuff from the last two 'groups' of variables is just picky, but helps you
avoid pitfalls if you turn off the following and expect anything to work
at all.
> $LDAP_USE_ADS = 1;
>
> $LDAP_ADS_DOMAIN = "mercyhurst.local";
Ok. Try those, if you just want to authenticate students. That should
get you going. We'll see about any further kind of restrictions, when
you tell me what you're after and why, unless of course you want to write
it yourself. ;-)
-Robert
> $AUTH_LC_USERNAME = 1;
>
> 1;
>
> ------------------------------------------
>
> The same questions as outlined in my email below still holds.
>
> I'd appreciate any help.
>
> Thanks in advance,
>
> Lukasz Karapuda
>
>
> -----Original Message-----
> From: owner-netreg@southwestern.edu
> [mailto:owner-netreg@southwestern.edu] On Behalf Of Robert Lowe
> Sent: Monday, February 02, 2004 7:30 PM
> To: netreg@southwestern.edu
> Subject: Re: NetReg: Active Directory authentication - restrict users
> from AD group.
>
>
> Lukasz Karapuda wrote:
>
> Hi Lukasz!
>
>
>>I have implemented Netreg 1.3rc2 on RedHat 9.0. I am using a Microsoft
>
>
>>Active Directory server as my LDAP authentication server for NetReg
>>registrations. For convenience I have created an Active Directory
>>Group with the following DN:
>>
>>"CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local";
>>
>>I have made the Active Directory users that can register using NetReg
>>members of the AD group NetReg. I wanted to restrict the registration
>>to users exclusively in that AD group. Hence I used the following
>>configuration setting:
>>
>># Search base: can be used to restrict which users can register
>>$LDAP_BASE = "CN=NetReg,OU=Generic Accounts,DC=mercyhurst,DC=local";
>>
>>However, users that are not part of the AD group NetReg can register
>>as well. Hence my group restriction is not functioning correctly.
>>
>>Since, I am not particularly knowledgeable in the AD administration, I
>
>
>>would welcome some feedback as to how my $LDAP_BASE should be
>>structured, so that only users within a given AD group can register
>>using NetReg.
>
>
> That's not the problem! The comments should read that if you select ADS
> as the authentication source, authentication will happen in the form
> user@domain. This is in contrast to searching for the dn, then
> authenticating using it plus the supplied password. ADS will behave as
> a standard LDAP search in this regard, so try the following:
>
> . Turn off $LDAP_USE_ADS by setting it to 0
> This will force an LDAP lookup prior to attempting authentication. .
> Set $LDAP_AUTH_ATTR to "cn"
> Is this the attribute needed? What does the entry specified by
> your LDAP base look like? If you can supply LDIF, everything
> should be perfectly clear.
>
> Depending on your ADS configuration, you will have to correctly set
> $LDAP_BIND_ANON and $LDAP_BIND_CREDENTIALS. Try using anonymous binding
> first. If the security in your ADS config prevent anonymous searching
> of dn's, you will have to provide the credentials of a user who can
> search the entire DIT (or at least the base you specify). Make sense?
>
> -Robert
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:44 CDT