tac_plus-ng I can access with user with password expired
149 views
Skip to first unread message
Sergio Gomez Ramirez
Aug 30, 2023, 1:45:35 PM8/30/23
to Event-Driven Servers
Hi Marc,
As you know i am working with FreeIPA LDAP, and i am trying filter user access if the password has expired, with mavis_tacplus-ng_ldap.pl you only use shadowExpire attribute, but freeIPA use krbPasswordExpiration
I dont´t know, If only adding or modifying with the attribute is enought, but i would need to filter witch (krbPasswordExpiration<=$(date +%Y%m%d)000000Z)
$mesg = $ldap->search(base => $LDAP_BASE, filter => sprintf($LDAP_FILTER, $V[AV_A_USER]), scope => $LDAP_SCOPE,
attrs => ['shadowExpire','memberOf','dn', 'uidNumber', 'gidNumber', 'loginShell', 'homeDirectory', 'sshPublicKey']);
attrs => ['shadowExpire','memberOf','dn', 'uidNumber', 'gidNumber', 'loginShell', 'homeDirectory', 'sshPublicKey']);
if ($mesg->count() == 1) {
my $entry = $mesg->entry(0);
my $val = $entry->get_value('memberOf', asref => 1);
$authdn = $entry->dn;
my (@M, @MO);
if ($#{$val} > -1) {
$val = expand_memberof($val);
} else {
$val = expand_groupOfNames($entry->dn);
}
foreach my $m (sort @$val) {
if ($m =~ /$LDAP_MEMBEROF_REGEX/i) {
push @M, $1;
push @MO, $m;
}
}
$V[AV_A_TACMEMBER] = '"' . join('","', @M) . '"' if $#M > -1;
$V[AV_A_MEMBEROF] = '"' . join('","', @MO) . '"' if $#MO > -1;
$V[AV_A_DN] = $authdn;
$V[AV_A_UID] = $val if $val = $entry->get_value('uidNumber');
$V[AV_A_GID] = $val if $val = $entry->get_value('gidNumber');
$V[AV_A_SHELL] = $val if $val = $entry->get_value('loginShell');
$V[AV_A_HOME] = $val if $val = $entry->get_value('homeDirectory');
$V[AV_A_SSHKEY] = $val if $val = $entry->get_value('sshPublicKey');
my $authdn = $mesg->entry(0)->dn;
if ($V[AV_A_TACTYPE] eq AV_V_TACTYPE_AUTH) {
$val = $entry->get_value('shadowExpire');
if ($val && $val * 86400 < time){
$V[AV_A_USER_RESPONSE] = "Password has expired.";
$V[AV_A_PASSWORD_MUSTCHANGE] = 1;
}
my $entry = $mesg->entry(0);
my $val = $entry->get_value('memberOf', asref => 1);
$authdn = $entry->dn;
my (@M, @MO);
if ($#{$val} > -1) {
$val = expand_memberof($val);
} else {
$val = expand_groupOfNames($entry->dn);
}
foreach my $m (sort @$val) {
if ($m =~ /$LDAP_MEMBEROF_REGEX/i) {
push @M, $1;
push @MO, $m;
}
}
$V[AV_A_TACMEMBER] = '"' . join('","', @M) . '"' if $#M > -1;
$V[AV_A_MEMBEROF] = '"' . join('","', @MO) . '"' if $#MO > -1;
$V[AV_A_DN] = $authdn;
$V[AV_A_UID] = $val if $val = $entry->get_value('uidNumber');
$V[AV_A_GID] = $val if $val = $entry->get_value('gidNumber');
$V[AV_A_SHELL] = $val if $val = $entry->get_value('loginShell');
$V[AV_A_HOME] = $val if $val = $entry->get_value('homeDirectory');
$V[AV_A_SSHKEY] = $val if $val = $entry->get_value('sshPublicKey');
my $authdn = $mesg->entry(0)->dn;
if ($V[AV_A_TACTYPE] eq AV_V_TACTYPE_AUTH) {
$val = $entry->get_value('shadowExpire');
if ($val && $val * 86400 < time){
$V[AV_A_USER_RESPONSE] = "Password has expired.";
$V[AV_A_PASSWORD_MUSTCHANGE] = 1;
}
Regards,
Sergio
Marc Huber
Aug 30, 2023, 5:01:03 PM8/30/23
to event-driv...@googlegroups.com
Hi Sergio,
I've commited an update to support krbPasswordExpiration, too.
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/253005a6-524a-469c-b23b-7d2d5a0aff7cn%40googlegroups.com.
Sergio Gomez Ramirez
Aug 31, 2023, 4:24:32 AM8/31/23
to Event-Driven Servers
Hi Marc,
I will be attentive, if you need to help we could try in my laboratory.
Thanks
Sergio
Marc Huber
Aug 31, 2023, 11:10:02 AM8/31/23
to event-driv...@googlegroups.com
Hi Sergio,
I commited these changes yesterday, so you can just git pull and test.
Cheers,
Marc
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/282f7815-c5b4-46a8-a7c1-78e3899dd7b8n%40googlegroups.com.
Sergio Gomez Ramirez
Aug 31, 2023, 11:51:32 AM8/31/23
to Event-Driven Servers
oook, Thanks, I installed again :
I am trying and if i use the LDAP_FILTER:
setenv LDAP_FILTER = "(&(objectclass=posixaccount)(krbPasswordExpiration<=$(date +%Y%m%d)000000Z)(uid=%s))"
or
setenv LDAP_FILTER = "(&(objectclass=posixaccount)(krbPasswordExpiration=%s)(uid=%s))"
I can not access to my endpoint, output mavistest:
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-843362-1693495919-0
USER userid
PASSWORD passwd
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-843362-1693495919-0
USER userid
RESULT NFD
PASSWORD passwd
SERIAL IpPR3b5/u0GbwKwCVkTuFQ=
TACTYPE AUTH
TYPE TACPLUS
TIMESTAMP mavistest-843362-1693495919-0
USER userid
PASSWORD passwd
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-843362-1693495919-0
USER userid
RESULT NFD
PASSWORD passwd
SERIAL IpPR3b5/u0GbwKwCVkTuFQ=
TACTYPE AUTH
Could LDAP_FILTER be wrong? Because in log i can see :
ago 31 17:44:10 tacacs1.example.com tac_plus-ng[843478]: 10.0.0.1 shell login for 'userid' from 192.168.70.56 on ssh19 failed (no such user)
But If i use this filter i can access:
setenv LDAP_FILTER = "(&(objectclass=posixaccount)(uid=%s))"
mavistest:
Input attribute-value-pairs:
TYPE TACPLUS
TIMESTAMP mavistest-843343-1693495762-0
USER userid
PASSWORD passwd
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
MEMBEROF "cn=red_test_l2,cn=groups,cn=accounts,dc=example,dc=com"
TIMESTAMP mavistest-843343-1693495762-0
USER userid
DN uid=userid,cn=users,cn=accounts,dc=example,dc=com
RESULT ACK
PASSWORD passwd
UID 546250500
GID 546250500
HOME /home/userid
SERIAL e70AoR5m/yXQ3NjtKQPeKA=
IDENTITY_SOURCE 0
TACMEMBER "test_l2"
TACTYPE AUTH
PASSWORD_ONESHOT 1
SHELL /bin/sh
TYPE TACPLUS
TIMESTAMP mavistest-843343-1693495762-0
USER userid
PASSWORD passwd
TACTYPE AUTH
Output attribute-value-pairs:
TYPE TACPLUS
MEMBEROF "cn=red_test_l2,cn=groups,cn=accounts,dc=example,dc=com"
TIMESTAMP mavistest-843343-1693495762-0
USER userid
DN uid=userid,cn=users,cn=accounts,dc=example,dc=com
RESULT ACK
PASSWORD passwd
UID 546250500
GID 546250500
HOME /home/userid
SERIAL e70AoR5m/yXQ3NjtKQPeKA=
IDENTITY_SOURCE 0
TACMEMBER "test_l2"
TACTYPE AUTH
PASSWORD_ONESHOT 1
SHELL /bin/sh
Regards
Sergio
Marc Huber
Aug 31, 2023, 11:57:33 AM8/31/23
to event-driv...@googlegroups.com
Hi Sergio,
there's no need to set the filter at all. The backend script already handles this.
Cheers,
Marc
On 31.08.2023 17:51, Sergio Gomez
Ramirez wrote:
setenv LDAP_FILTER = "(&(objectclass=posixaccount)(krbPasswordExpiration=%s)(uid=%s))"
Sergio Gomez Ramirez
Aug 31, 2023, 12:11:56 PM8/31/23
to Event-Driven Servers
Hi,
I think the problem comes from doing the ldap query, I think what my ldap doesn´t show by default the attribute krbPasswordExpiration, because when i do a ldapsearch -x "(&(objectclass=posixaccount)(krbPasswordExpiration<=$(date +%Y%m%d)000000Z)(uid=*))", it doesn´t show anything, and that is why in the log it show as not finding the user.
I think the problem comes from doing the ldap query, I think what my ldap doesn´t show by default the attribute krbPasswordExpiration, because when i do a ldapsearch -x "(&(objectclass=posixaccount)(krbPasswordExpiration<=$(date +%Y%m%d)000000Z)(uid=*))", it doesn´t show anything, and that is why in the log it show as not finding the user.
But if i use ldapsearch -u "(&(objectclass=posixaccount)(krbPasswordExpiration<=$(date +%Y%m%d)000000Z)(uid=*))", it shows me all attributes.
Without filter i can acces with passwrod expired.
Cheers,
Sergio
Sergio
Marc Huber
Aug 31, 2023, 12:17:36 PM8/31/23
to event-driv...@googlegroups.com
Hi,
as I've said before: There's no need to set the LDAP filter at all, so just don't do it. Your ldapsearch is irrelevant, that's not how the backend script works.
Cheers,
Marc
--
You received this message because you are subscribed to the Google Groups "Event-Driven Servers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-driven-ser...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/f9a4d480-e502-4161-9634-ef3515a28945n%40googlegroups.com.
Sergio Gomez Ramirez
Sep 1, 2023, 4:04:49 AM9/1/23
to Event-Driven Servers
Hi Marc,
I was making traffic capture and i can see that TACACS didn´t sent the attributes:
Lightweight Directory Access Protocol
LDAPMessage searchRequest(99) "cn=accounts,dc=example,dc=com" wholeSubtree
messageID: 99
protocolOp: searchRequest (3)
searchRequest
baseObject: cn=accounts,dc=example,dc=com
scope: wholeSubtree (2)
derefAliases: derefFindingBaseObj (2)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (&(objectclass=posixAccount)(uid=userid))
filter: and (0)
and: (&(objectclass=posixAccount)(uid=userid))
and: 2 items
Filter: (objectclass=posixAccount)
and item: equalityMatch (3)
equalityMatch
attributeDesc: objectclass
assertionValue: posixAccount
Filter: (uid=userid)
and item: equalityMatch (3)
equalityMatch
attributeDesc: uid
assertionValue: userid
attributes: 8 items
AttributeDescription: shadowExpire
AttributeDescription: memberOf
AttributeDescription: dn
AttributeDescription: uidNumber
AttributeDescription: gidNumber
AttributeDescription: loginShell
AttributeDescription: homeDirectory
AttributeDescription: sshPublicKey
[Response In: 120]
LDAPMessage searchRequest(99) "cn=accounts,dc=example,dc=com" wholeSubtree
messageID: 99
protocolOp: searchRequest (3)
searchRequest
baseObject: cn=accounts,dc=example,dc=com
scope: wholeSubtree (2)
derefAliases: derefFindingBaseObj (2)
sizeLimit: 0
timeLimit: 0
typesOnly: False
Filter: (&(objectclass=posixAccount)(uid=userid))
filter: and (0)
and: (&(objectclass=posixAccount)(uid=userid))
and: 2 items
Filter: (objectclass=posixAccount)
and item: equalityMatch (3)
equalityMatch
attributeDesc: objectclass
assertionValue: posixAccount
Filter: (uid=userid)
and item: equalityMatch (3)
equalityMatch
attributeDesc: uid
assertionValue: userid
attributes: 8 items
AttributeDescription: shadowExpire
AttributeDescription: memberOf
AttributeDescription: dn
AttributeDescription: uidNumber
AttributeDescription: gidNumber
AttributeDescription: loginShell
AttributeDescription: homeDirectory
AttributeDescription: sshPublicKey
[Response In: 120]
I needed to re-install the git, i don´t know why the installation didn´t work in the first time, so before of re-install, i removed all mavis script to ensure the installation. Now, Tacacs is working so fine, thank you for that.
sep 01 09:50:49 tacacs1.satm.maqtor tac_plus-ng[852423]: 10.0.193.134 shell login for 'userid' from 192.168.70.84 on ssh19 succeeded [Password has expired.] (profile=admin)
I think, what you commited to change the password in the endpoints directly, right?
Thanks for everything
Sergio
Marc Huber
Sep 1, 2023, 9:58:00 AM9/1/23
to event-driv...@googlegroups.com
Hi Sergio,
yes, if a user logs in with an expired password the password
change dialog is enforced:
# telnet 10.0.0.1
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
User Access Verification
Username: demo
Password:
Password has expired.
New password:
Retype new password:
Password change was successful.
router#
Tested against FreeIPA.
This obviously only works with ASCII login, as the other login
variants are single-step. E.g. PAP logins would just be denied,
with a "Password has expired" message.
Cheers,
Marc
To view this discussion on the web visit https://groups.google.com/d/msgid/event-driven-servers/1aaf4366-e68f-4957-8cf5-7340962e158en%40googlegroups.com.
Sergio Gomez Ramirez
Sep 4, 2023, 1:27:03 PM9/4/23
to Event-Driven Servers
Thanks Marc
Regards
Reply all
Reply to author
Forward
0 new messages