Univention Bugzilla – Bug 25935
UCR/LDAP integration of /etc/freeradius/3.0/clients.conf
Last modified: 2022-01-14 15:21:38 CET
Eine mögliche Verbesserung der 802.1x-Integration wäre es die /etc/freeradius/clients.conf über UCR-Variablen oder im LDAP zu verwalten. Vorschläge: UCR-Template IP-Managed-Clients mit einem Attribut für das Secret.
This is still relevant for UCS in general. A customer has a use case that would benefit a lot from this at the moment. They want to have decentral radius servers at branch offices (they already have slaves there) in addition to their central radius server. Maintaining the clients.conf in such a use case would be a lot easier with UCR policies. Of course it would also be nice to have with even just one radius server
*** This bug has been marked as a duplicate of bug 42792 ***
(In reply to Sönke Schwardt-Krummrich from comment #2) > *** This bug has been marked as a duplicate of bug 42792 *** → REVERT
Created attachment 9832 [details] Screenshot 1
As shown in the attached screenshot, a new option "RADIUS Authenticator" has been added for the following computer objects: - computers/domaincontroller_backup - computers/domaincontroller_master - computers/domaincontroller_slave - computers/ipmanagedclient - computers/linux - computers/macos - computers/memberservers - computers/ubuntu - computers/windows - computers/windows_domaincontroller Activating this option enables 3 new properties on the "RADIUS" tab, which can be used to set the shared secret, the NAS type and the virtual server. In the UDM, the arrangement of the extended attributes on the RADIUS tab has been slightly modified. Therefore a new syntax was introduced in syntax.py within the package univention-directory-manager-modules: RadiusClientType. In addition, the existing RADIUS schema has been extended to include an object class and 3 attributes. The schema is automatically registered/updated in LDAP. A listener module reacts to changes and starts the script /usr/sbin/univention-radius-update-clients-conf, which reads the corresponding computers with RADIUS authenticator option with the machine account and creates an entry in /etc/freeradius/3.0/clients.univention.conf for them. The file will be overwritten and recreated. The file /etc/freeradius/3.0/radiusd.conf contains a INCLUDE statement for the clients.univention.conf if the file exists at the time of "ucr commit". The attribute univentionRadiusClientSharedSecret can only be read by computers of the group "DC Backup Hosts" or computers with the assigned service "RADIUS". This is ensured by 2 ACLs: one for dc master + dc backup and the second for the LDAP server of dc slaves. Write access to the attribute is reserved for cn=admin, Administrator and users of the Domain Admins group. dc slave systems only gain access to the LDAP attribute univentionRadiusClientSharedSecret after the "RADIUS" service has been added at the LDAP computer object. Since the replication of any existing values has already been completed, the join script calls the command /usr/share/univention-directory-listener/resync_objects.py --update --filter 'objectClass=univentionRadiusClient'. resync_objects.py is part of the package univention-directory-listener and has been improved to add new attributes to existing objects (previously only new objects could be created; in case of a conflict the script aborted immediately). In the clients.univention.conf the IP address of the respective computer is stored at the corresponding entry. Only the first IP address supplied by the LDAP server will be used, if several IP addresses have been stored there. If IPv4 and IPv6 addresses are set at the computer object, the IPv4 address is preferred. Two test scripts were created for ucs-test, which check for each computer object whether a corresponding entry is created, modified and removed in clients.univention.conf and the second one checks the LDAP ACLs. 7375f7ceb9 Bug #25935: Merge branch 'sschwardt/25935/4.4/radius_client_conf' into 4.4-0 009fc57a3c Bug #25935: add changelog entry for ucs-test 412256bbba Bug #25935: add new tests for univentionRadiusClient option and ACLs f30d4888f1 Bug #25935: add changelog entry for univention-radius 8f073ef3bd Bug #25935: create empty clients.univention.conf if missing b2d92dcbdf Bug #25935: fix broken unjoin script and add additional objects to remove 401c3547c5 Bug #25935: add listener module that calls univention-radius-update-clients-conf 16580a0ac8 Bug #25935: include new clients.univention.conf if present e0182d037d Bug #25935: add script that creates/updates clients.univention.conf 0c40a16d27 Bug #25935: resync all RADIUS related objects due to change in LDAP ACLs abbaf64a8f Bug #25935: register new LDAP ACLs b0e8aa3158 Bug #25935: add new RADIUS extended attributes ae6df3cf26 Bug #25935: extend LDAP schema: added univentionRadiusClient class 35d59d1390 Bug #25935: fix installation path of clients.conf.example 5e7fc8cf62 Bug #25935: add changelog entry d0b56d426b Bug #25935: resync_objects.py: allow update of existing objects 85e78240a1 Bug #25935: add changelog entry 11078abdb9 Bug #25935: add new syntax for RADIUS client type Package: univention-directory-listener Version: 13.0.2-1A~4.4.0.201902151428 Branch: ucs_4.4-0 Scope: Package: univention-directory-manager-modules Version: 14.0.0-6A~4.4.0.201902151428 Branch: ucs_4.4-0 Scope: Package: univention-radius Version: 6.0.2-1A~4.4.0.201902151428 Branch: ucs_4.4-0 Scope: Package: ucs-test Version: 9.0.0-32A~4.4.0.201902151430 Branch: ucs_4.4-0 Scope:
*** Bug 46561 has been marked as a duplicate of this bug. ***
As discussed: Change OID (https://hutten.knut.univention.de/mediawiki/index.php/Univention-OIDs) Use ldap_master=False for getMachineConnection Notes for me: ldap/server/name on members is set to the master ldap/server/addition is not set automatically
(In reply to Jürn Brodersen from comment #7) > As discussed: > Change OID > (https://hutten.knut.univention.de/mediawiki/index.php/Univention-OIDs) → Changed OID prefix to 1.3.6.1.4.1.10176.4205.100 and updated wiki page. > Use ldap_master=False for getMachineConnection → fixed 1f1f096b65 Bug #25935: add changelog entry 30d2796798 Bug #25935: fix OID collision 5637c72f1d Bug #25935: use machine connection against localhost resp. ldap/server/name Package: univention-radius Version: 6.0.2-3A~4.4.0.201902191559 Branch: ucs_4.4-0 Scope:
t10n for RadiusClientType.choices are missing in management/univention-directory-manager-modules/modules/univention/admin/de.po.
(In reply to Daniel Tröder from comment #9) > t10n for RadiusClientType.choices are missing in > management/univention-directory-manager-modules/modules/univention/admin/de. > po. These are static names of freeradius options. Currently I do not see any benefit in translating them (for most of them, this is not possible e.g. "cisco"). Instead I think it would lead to confusion, if the freeradius manual says the value "other" has to be set but UMC only offers "andere". That's why I intentionally did not translated the options (even if the code supports it).
Two small fixes: [4.4-0 7eff8cefee] Bug #25935: remove build artefact [4.4-0 73f67ed303] Bug #25935: fix typo And an integration test: [4.4-0 52e6a87449] Bug #25935: test eap with an authenticator created through udm What I tested: Update from 4.3 to 4.4 -> OK "ucs-test -s radius" on master, backup, slave, member -> OK clients.conf still works -> OK Added an authenticator through udm -> OK Authenticator is written into clients.univention.conf on master, backup, slave, member -> OK eapol_test from my notebook works against master, backup, slave, member -> OK Remove univention-radius from member and reinstall -> clients.univention.conf is rewritten -> OK Remove univention-radius from slave and reinstall -> clients.univention.conf is rewritten -> OK (see 73f67ed303) -> verified
UCS 4.4 has been released: https://docs.software-univention.de/release-notes-4.4-0-en.html https://docs.software-univention.de/release-notes-4.4-0-de.html If this error occurs again, please use "Clone This Bug".