ldap to use UPN (userPrincipalName) instead of samAccountName

[Rune Tipsmark]

Following the guide on page 21 in the admin guide I tried to change objects.xml so  it would accept UPN.

the page states the following:

'The LDAP attribute corresponding to the login name (i.e. RADIUS user name used for VPN logins) 

depends on the WebADM configurations. It can be the object name (CN) as well as the UID

attribute, sAMAccountName, userPrincipalName, the mobile number, or anything else. WebADM 

just needs to know what attributes can be used for the logins. This is adjustable in the objects 

specification file (conf/objects.xml). By default, the user name is the UID LDAP attribute.'

I am still unable to log in using my us...@companyA.com and the logs show that only the characters before @ are accepted. 

in my case I samAccountName is different from the  first part of the UPN, so for example us...@companyA.com has a samAccountName of "CompanyA-User". Therefore  the Radius part of OTP only works if I type in "CompanyA-User"  and not  "us...@companyA.com" since it only reads text before @.

how to fix?

br,

Rune

[Administrators]

What version of WebADM and OpenOTP do you use?

[Rune Tipsmark]

The latest I just downloaded the .OVF deployment file yesterday.

br,

Rune

[Administrators]

Could you try this:

in webadm.conf, add "userPrincipalName":

uid_attrs  "uid", "samAccountName", "userPrincipalName"


in objects.xml, add this block after samaccountname

<!-- Active Directory Attributes -->
<Attribute name="samaccountname"
           desc="Login Name"
           handler="uid.php"
           unique="yes"
           searchable="yes"
           overrides="uid" />

<Attribute name="userprincipalname"
           desc="User Principal Name"
           handler="uid.php"
           unique="yes"
           searchable="yes" />


regards,

[Rune Tipsmark]

I tried that now, still no luck.

Log comes back like this:

[2014-11-17 18:19:47] [127.0.0.1] [OpenOTP_42BF7170] New openotpSimpleLogin SOAP request

[2014-11-17 18:19:47] [127.0.0.1] [OpenOTP_42BF7170] > Username: xx

[2014-11-17 18:19:47] [127.0.0.1] [OpenOTP_42BF7170] > Password: xxxxxx

[2014-11-17 18:19:47] [127.0.0.1] [OpenOTP_42BF7170] > Client ID: otp

[2014-11-17 18:19:47] [127.0.0.1] [OpenOTP_42BF7170] Registered openotpSimpleLogin request

[2014-11-17 18:19:47] [127.0.0.1] [OpenOTP_42BF7170] Checking OpenOTP built-in license

[2014-11-17 18:19:47] [127.0.0.1] [OpenOTP_42BF7170] License Ok (1/40 activated users)

[2014-11-17 18:19:47] [127.0.0.1] [OpenOTP_42BF7170] User invalid or not found

[2014-11-17 18:19:49] [127.0.0.1] [OpenOTP_42BF7170] Sent failure response

webadm.conf looks like this:

# LDAP attributes

certificate_attrs       "userCertificate"

password_attrs          "userPassword", "unicodePwd", "sambaNTPassword"

uid_attrs               "uid", "samAccountName", "userPrincipalName"

member_attrs            "member", "uniqueMember"

memberof_attrs          "memberOf", "groupMembership"

objects.xml looks like this:

<!-- Active Directory Attributes -->

<Attribute name="samaccountname"

           desc="Login Name"

           handler="uid.php"

           unique="yes"

           searchable="yes"

           overrides="uid" />

<Attribute name="userprincipalname"

           desc="User Principal Name"

           handler="uid.php"

           unique="yes"

           searchable="yes" />

and I did

/opt/webadm/bin/webadm restart

/opt/radiusd/bin/radiusd restart

what did I miss?

br,

Rune

--
You received this message because you are subscribed to a topic in the Google Groups "RCDevs Security Solutions - Technical" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rcdevs-technical/DkJ9cWP4XL0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.
Visit this group at http://groups.google.com/group/rcdevs-technical.
For more options, visit https://groups.google.com/d/optout.

[Administrators]

Now it's a problem with the config of your radius bridge,
do not use @ has domain separator,
and passwordmode = 0,

regards,

To unsubscribe from this group and all its topics, send an email to rcdevs-technical+unsubscribe@googlegroups.com.
To post to this group, send email to rcdevs-technical@googlegroups.com.

[Rune Tipsmark]

I am not sure where to change that in the radius bridge... which config file?

br,

Rune

To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.

[Administrators]

could you paste your config: /opt/radiusd/conf/openotp.conf
will check,

regards,

[Rune Tipsmark]

-bash-4.1# cat /opt/radiusd/conf/openotp.conf

#

# OpenOTP configurations

#

# Server URL(s):

# OpenOTP SOAP service URL(s). This is the only mandatory setting.

# Two server URLs can be configured and separated by a comma.

# When two servers are configured, you may choose a request routing policy below.

server_url = "http://127.0.0.1:8080/openotp/"

# Request routing policy:

# Request routing policy when two server URLs are defined.

# Ordered: First server is preferred (default). When down, second server is used.

# Balanced: Server is chosen randomly. When down, the other is used.

# Consistent: One specific user ID is always routed to the same server (per user routing).

#server_policy = "Ordered"

# Password mode:

# 0: Let OpenOTP automatically handle passwords (default).

# 1: RADIUS Access Request transports LDAP password and Access Challenge transports OTP password.

# 2: RADIUS Access Request transports OTP password (no challenge).

# 3: RADIUS Access Request transports both LDAP and OTP passwords concatenated.

#    The RADIUS password contains the LDAP password followed by the OTP password.

#    Requires either password_separator or otp_length setting below.

# 4: RADIUS Access Request transports both OTP and LDAP passwords concatenated.

#    The RADIUS password contains the OTP password followed by the LDAP password.

#    Requires either password_separator or otp_length setting below.

# 5: RADIUS Access Request transports both user ID and OTP password concatenated.

#    The RADIUS username contains the user ID followed by the OTP password.

#    Requires either password_separator or otp_length setting below.

#password_mode = 0

# Password mode attribute:

# This is the RADIUS attribute in which the RADIUS client can pass a password mode and override the

# password_mode setting above. It must be a String attribute contain the value "1", "2", "3" or "4".

# By default no attribute is used.

#mode_attribute = "Called-Station-Id"

# OTP length:

# With password_mode 3 and 4, radiusd need to know the length of the OTP passwords when no

# password_separator is set in order to locate the OTP and LDAP parts in the concatenated

# password value. The otp_length and password_separator settings cannot be used at the same time.

#otp_length = 6

# Password separator:

# With password_mode 3 and 4, radiusd requires a separator character when no otp_length is set

# in order to locate the OTP and LDAP parts in the concatenated password value.

#password_separator = "+"

# Challenge suffix:

# Suffix to be added to the challenge message.

#challenge_suffix = ": "

# Default domain:

# This domain name can be used to override the default domain on the OpenOTP configuration.

#default_domain = "mydomain"

# Domain separator:

# This is the separator character to be used when the domain is provided in the username.

# For example if '\' is used then username with domain can be in the form domain\username.

# By default there is no domain sperator.

domain_separator = "\\"

# User settings:

# list of OpenOTP public settings to be passed to OpenOTP.

#user_settings = "LoginMode=LDAPOTP,OTPType=SMS"

# Settings attribute

# This is the RADIUS attribute in which the RADIUS client can pass user settings to OpenOTP.

# If the attribute is present in the RADIUS request, it will override any existing user setting

# from the user_settings setting above. Attribute must be of type String.

# By default no attribute is used.

#settings_attribute = "Filter-Id"

# Source attribute

# This is the RADIUS attribute in which the RADIUS client can pass the end user source IP address to

# OpenOTP. Attribute must be of type IPAddr.

# By default source attribute is "Login-IP-Host".

#source_attribute = "Login-IP-Host"

# Client certificate and trusted CA

#cert_file = "conf/radiusd.pem"

#cert_password = ""

#ca_file = "conf/ca.pem"

# SOAP timeout:

# This is the SOAP request TCP timeout. It should be lower than the RADIUS timeout on your RADIUS client.

#soap_timeout = 10

# Data attribute:

# This is the RADIUS attribute in which Radius Bridge will copy the content of the OpenOTP Reply Data

# attribute value. RB will also return the data value in the RADIUS response to your NAS client.

# The default data attribute is "Filter-Id".

# Note: This setting is ignored if data_is_vps is set to 'yes'.

#data_attribute = "Filter-Id"

# Data separator

# This is the separator character to be used when the multiple data are provided in the data attribute.

# Radius Bridge will create one data attributes per Reply Data in the RADIUS response.

# If no separator is specified, the Reply Data is copied to one unique data_attribute.

# Note: This setting is ignored if data_is_vps is set to 'yes'.

#data_separator = ","

# Data is value-pairs

# If set to 'yes', then the reply data is expected to contain RADIUS attribute and value pairs.

# In that case, the attributes defined in the reply data are created with their values.

#data_is_vps = no

# RADIUS reply attributes (with static value)

# This is a list of attribute and value pairs to be sent back to the RADIUS clients in Access-Accept

# packets. The syntax is the standard RADIUS value pairs (ie. attr1=value1,attr2=value2,...).

# Note: The attributes must be present in the local dictionaries (in lib/dictionaries/).

#reply_vps = "Juniper-Allow-Commands=\"XXX\",Juniper-Deny-Commands=\"YYY\""

# No success/failure message

# If set to 'yes', then no RADIUS Reply-Message attribute is sent in the Access-Success and/or

# Access-Failure response. This is useful for some broken RADIUS clients which refuse the reply

# message attributes in the Access-Request responses.

#no_success_message = no

#no_failure_message = no

# No response delay

# You can configure RB to delay its Access-Reject responses when the OpenOTP server does not respond.

# Setting a delay allows RADIUS clients to enforce a failover policy if they do not receive a RADIUS

# response within a configured timeout. Without the no_response_delay (RB default) the client gets a

# RADIUS failure response and does also not failover to a secondary server.

#no_response_delay = 15

# MS DirectAccess Probe

# Enable this setting only if you are using Microsoft VPN with DirectAccess server.

# DirectAccess check the RADIUS status via RADIUS probes which are sent to OpenOTP in Status requests.

#directaccess_probe = no

#daprobe_username = "DAProbeUser"

#daprobe_password = "DAProbePass"

To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.

[Administrators]

OK,
so no problem with this conf, it's the default one,
what's strange in your logs it's the length of your Username, 2 characters, is it the normal size?
If no somethings split the input, you could enable radiusbridge debug mode to see exactly what happens,
to enable debug mode: /opt/radiusd/bin/radiusd debug

regards,

[Rune Tipsmark]

in this case the upn is x...@yyyyyy.com but the samaccountname is yyyyyy-xx.

hence we need to use upn because it matches the users primary email address.

br,

To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.

[Rune Tipsmark]

here is with debug

Ready to process requests.

[rad_recv: Access-Request packet from host x.x.x.10 port 50429, id=0, length=65

        Message-Authenticator = 0xd4ec3e6596c46cc5e6e0c333a1215312

        User-Name = "xx"

        User-Password = "728745"

        NAS-Identifier = "otp"

# Executing section authorize from file /opt/radiusd/conf/radiusd.conf

+group authorize {

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] = noop

++[openotp] = ok

+} # group authorize = ok

Found Auth-Type = openotp

# Executing group from file /opt/radiusd/conf/radiusd.conf

+group authenticate {

rlm_openotp: Found client attribute "NAS-Identifier" with value "otp"

rlm_openotp: Sending openotpSimpleLogin request

rlm_openotp: OpenOTP Authentication failed

rlm_openotp: Reply message: Invalid username or password

rlm_openotp: Sending Access-Reject

++[openotp] = reject

+} # group authenticate = reject

Failed to authenticate the user.

Login incorrect: [xx] (from client any port 0)

Sending Access-Reject of id 0 to x.x.x.10 port 50429

        Reply-Message = "Invalid username or password"

Finished request 1.

Going to the next request

Waking up in 9.9 seconds.

rad_recv: Access-Request packet from host x.x.x.10 port 50429, id=0, length=65

Sending duplicate reply to client any port 50429 - ID: 0

Sending Access-Reject of id 0 to x.x.x.10 port 50429

Waking up in 9.9 seconds.

Cleaning up request 1 ID 0 with timestamp +167

On Mon, Nov 17, 2014 at 10:01 AM, Administrators <julien....@rcdevs.com> wrote:

To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.

[Administrators]

Ok as you can see in the log, the username passed by the RADIUS Client is xx (2 chars).

What's the RADIUS client (VPN) in use ?  

[Rune Tipsmark]

Citrix Web Interface with UPN logon

To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.

[Administrators]

Ok but the problem is that here there is no way to work with that information.

Either the Citrix sends the full UPN value (ie. x...@yyyyyyy.com) or if it splits the UPN into a user Id (xx) and a domain (yyyyyyy.com), then it must sends both information in two RADIUS attributes to the RADIUS server.

Check in your CitrixWeb Interface configurations if there is a way to configure the RADIUS attr where to send the domain information taken from the UPN.

If there is such a configuration exists, then we could easily add a RADIUS Bridge configuration to deal with it and recompose the UPN to send to OpenOTP.

[Rune Tipsmark]

found this one 

https://kb.swivelsecure.com/wiki/index.php/Citrix_Web_Interface_5.4_Integration#Known_Issues_and_Limitations

it worked so it  sends upn now.. but see the log:

rad_recv: Access-Request packet from host x.x.x.10 port 64323, id=0, length=76

        Message-Authenticator = 0xa95c0a4123293ea9a11770ae6ab270ca

        User-Name = "x...@yyyyyy.net"

        User-Password = "157130"

        NAS-Identifier = "otp"

# Executing section authorize from file /opt/radiusd/conf/radiusd.conf

+group authorize {

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] = noop

++[openotp] = ok

+} # group authorize = ok

Found Auth-Type = openotp

# Executing group from file /opt/radiusd/conf/radiusd.conf

+group authenticate {

rlm_openotp: Found client attribute "NAS-Identifier" with value "otp"

rlm_openotp: Sending openotpSimpleLogin request

rlm_openotp: OpenOTP Authentication failed

rlm_openotp: Reply message: Account missing required data

rlm_openotp: Sending Access-Reject

++[openotp] = reject

+} # group authenticate = reject

Failed to authenticate the user.

Login incorrect: [x...@yyyyyy.net] (from client any port 0)

Sending Access-Reject of id 0 to x.x.x.10 port 64323

        Reply-Message = "Account missing required data"

Finished request 2.

Going to the next request

Waking up in 9.9 seconds.

rad_recv: Access-Request packet from host x.x.x.10 port 64323, id=0, length=76

Sending duplicate reply to client any port 64323 - ID: 0

Sending Access-Reject of id 0 to x.x.x.10 port 64323

Waking up in 9.9 seconds.

Cleaning up request 2 ID 0 with timestamp +82848

To unsubscribe from this group and all its topics, send an email to rcdevs-technic...@googlegroups.com.
To post to this group, send email to rcdevs-t...@googlegroups.com.

[Rune Tipsmark]

nevermind it works now, must have been the 5 min caching...