We are looking to migrate our RADIUS authentication over to a client's Google Workspace. We currently have an instance of FreeRADIUS running and functioning properly, with users able to connect using their Google credentials.
However, we've run into a bit of a snag as users' primary names within the Google Workspace can have four possible domains - this is the result of a merger that occurred some time ago. So for example, a given user's primary email address might be any of the following:
user#example1.com
user#example2.com
user#example3.com
user#example4.com
Everybody has an alias at example1.com as part of a larger rebranding, but primary usernames have yet to transition for compatibility reasons.
I'm wondering if there is a way to have FreeRADIUS query multiple base DNs if the first DN turns up no results. Something like this:
Query DC=example1,DC=com.
If not found, query DC=example2,DC=com.
etc
etc
I've already tried having it query DC=com, that failed rather predictably.
The actual domain of the user is unimportant as everyone is getting more or less the same access - this is just a matter of finding the user in the correct tree.
You could leave FreeRADIUS setup with the Google Workspace Primary Domain,
base_dn = 'dc=example,dc=com'
Then add a matching Primary Domain alias for users in the Secondary Domain.
Username
Alias
RADIUS Accepts
user1#example.com
N/A
user1, user1#example.com
user2#contoso.com
user2#example.com
user2, user2#example.com
Related
Our Active Directory logins are currently e.g. john.smith#mycompany.com (i.e. the same as our email addresses). A friend said they used a number for login (e.g. 38292#mycompany.com) for security reasons. The login being internal and not public facing.
Wondering what others think/do and what is considered best practice. Thank you.
• Yes, as your friend said it is a good practice to keep your internal login ids and email ids as login ids different for several reasons. One of them is that if you have several people by the same names or similar spelling then it can be very hectic and weary to trace down a user’s activity across large span of internal environment presence. So, its best to keep internal application login different than email address as it helps your internal security team to continuously monitor and prevent threats like spamming a particular mailbox, sending phishing mails, etc. Also, it keeps your organization’s internal infrastructure at bay from attackers as brute force attacks through email ids are not at all possible since employee id numbers aren’t public.
• You can do so by configuring email address attribute for your users for which you can set the one containing employee number as their primary email address and other one configured, i.e., email address(firstname.lastname) as your employees’ alias email address or proxy addresses.
• Once, that is set, then you need to enable users to sign in with email address as alternate login ID. This feature tells the Azure AD login servers to not only check the sign-in identifier against UPN values, but also against ProxyAddresses values for the email address. This can be done through the ‘homerealmdiscoverypolicy’ resource as given in detail in the below link for your reference: -
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-use-email-signin#enable-user-sign-in-with-an-email-address
The id I get from app.getUser() from the actions-on-google-nodejs app looks entirely different from the id I get from Oauth.
app.getUser() in Google Assistant
{ userId: 'KMdEs***szG-ZRQl***cU',
user_id: 'KMdEs***szG-ZRQl***cU',
userName:
{
[...]
The same id is returned with and without the app.SupportedPermissions.NAME permission.
googleUser.getBasicProfile().getId() in Google OAuth
11348***63489
Is there any way to match these users up? It's the same Google Project in the developer console, so I assume that even if Google would generate unique ID's per project it should be the same, however in this case it looks like I am getting entirely different types of id's.
They are different types of IDs.
The ID returned from app.getUser() is meant as an anonymous project-unique identifier that can be used in some of the same ways a web cookie is used. It can not be identified against a specific account - but it will be consistent across all sessions (unless reset by the user). The profile information you can get with it (their name) is also considered non-identifying. Both are intended to be used to make a more friendly interface, rather than as a firm identifier. Users are able to reset their Google Home devices, for example, and this may reset this to a different ID.
The ID returned through OAuth, however, is meant to link them to a Google Account, with all the implications that brings, including associating them with a specific identity. This Account Linking is done separately, and does not directly give you the ID - instead it gives you an OAuth Access Token (which you can get through app.getUser().accessToken) which you can use to get their Google ID and other information that you may be scoped to get.
In theory, if you have Account Linking enabled, you could match the two up. In practicality, if you have Account Linking enabled, you wouldn't care about app.getUser().userId since you have the Access Token which will get you their Google ID. If you do not have Account Linking enabled - there is no way to match up the two and you should treat the userId as an anonymous (but consistent) user.
Some of my login credentials are actually linked (via LDAP I guess) to a Windows Active Directory account. That means, the entries in my LastPass account for those refer to the same password which, according to AD policies, must be updated regularly. I have three problems with this:
How to find the passwords which must be updated whenever I perform an AD password update? I have solved this by placing all entries linked to the AD account into an "AD" group in LastPass, and manually updating those entries whenever the AD credentials change.
DRY? (Don't Repeat Yourself). How can I have a single entry referring to the AD credentials, and link the rest of the entries to this entry?
LastPass "Security Challenge" becomes useless, since I get lots of non-relevant "Change Reused Passwords" warnings.
Can you suggest a good approach to solve all this problems?
I've had a similar problem with multiple active directory logins stored. Here's how I've solved it, though I can't claim it's the best way. It just works for me.
At my company we have multiple domains (parent company and child companies). So lets use foobarenterprises.com, foo.com, and bar.com.
The first thing I did was setup Equivalent Domains (Account Settings > Equivalent Domains tab). This is just a single entry that is a comma seperated list of those domains. So with that setup, it will now recognize that all three domains can use passwords with each other (a saved login for foo.com would work as well for bar.com or foobarenterprises.com).
The second thing I did was to remove ALL entries with that user account. I then created a single entry that I named "AD Account" (or whatever you prefer). I set the URL to foo.com (which saves as http://foo.com) and set my username and password.
Now when I browse to any site in those domains, I can use my single saved entry to login. Though my autocompletion doesn't seem to work well... not sure if this is Lastpass or the sites I'm trying to log into though.
I hope others will post how they do this because I'm curious to know if there are better ways. But hopefully this will help some. Good luck!
I am currently setting up a small server with several applications. Since no Active Directory etc is planned, but I do need a centralized user administration, I decided for LDAP since all applications are capable of authenticating against it.
I have already set up a domain "dc=example,dc=lan". It has two organizational Units. Groups and Users. My plan was, to create a posixGroup for every application, so that a user can be added to each group (if he/she was allowed to use this application).
The structure would then be (example):
for each group
cn=ejabberd,ou=groups,dc=example,dc=lan
where cn=ejabberd is of type "posixGroup"
and for users
cn=user1,ou=users,dc=example,dc=lan
where cn=user1 is of type "posixAccount"
Some, but not all, applications expect the "mail" attribute as login name. Some don't.
My problem is, that searching for users in ou=users is easy as 1,2,3 - searching in "cn=ejabberd,ou=groups,dc=example,dc=lan" is sheer driving me crazy since the users are not a "child" to this group but a "memberuid" attribute.
I have tried different filters and thought about another setup.. Just cannot think of anything different making sense right now.
Am I running down the wrong way, or maybe just blind to what's right in front of me?
I'd be glad for any finger pointing out a direction.
So here is, how I did it:
I created the following structure.
+dc=example,dc=com
+ou=groups
| +employees (PosixGroup)
| +service1 (GroupOfNames)
| +service2 (GroupOfNames)
+ou=users
| +user1 (User Account)
| +user2 (User Account)
etc..
Groups like "service1" and "service2" are of type "GroupOfNames". Furthermore I had to install the "memberOf"-Overlay so I could search for this exact attribute of a user.
This now gives me the possibility to tell each service to use a search filter that returns only the members of one special group, which will be granted access. For instance, ejabberd will use this filter:
"(&(objectClass=inetOrgPerson)(memberof=cn=ejabberd,ou=groups,dc=example,dc=com))"
Found these informations on the following website. Just take care to set the filter case sensitive! "memberOf" will not return any results, since the overlay in this example uses "memberof".
http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/
I suggest you're on the wrong track. You don't want to authenticate by application, you just want to define overall roles that users can be in. The applications can then be defined to require certain role(s) per application funtion, web page, etc. As a limiting case, an application can be a role, but if you set out to define it that way you're overly limiting yourself.
To answer your immediate problem, you only have to search under the ou=Groups item for posixGroups which have memberUID={0} where {0} is the DN of the user. In other words the search filter is
(&(objectClass=posixGroup)(memberUID={0}))
Iterating those search results then gives you the DNs of all the groups of which he is a member.
I have the following scenario.
At my company we use Oracle 11g. The authentication on the frontend is using database users. So, every user of the frontend has a his own user account in the database system.
This implies that they have the ability to connect directly to the database, if they know the IP address, port, etc,. Of course, this is not considered a security concern because our strict managment of roles and privileges. This also implies that when a new user is added our DBA have to create the user and assing the proper roles and privileges.
Until now, our frontend is accesed only by our internal users. However, We are planning to add the capability for our external users can login in our frontend.
Our estimation is about 750,000 external users with annual increments of 50,000. This users are supposed to access our system three or four times per year.
The question we have is how to grant access to this users.
By using our already implemented authentication system. Every user has his own database user account.
Generating an authentication system for external users only. Like most of the CMS's in the market, with tables as an ACL (Access Control List) for users, passwords and roles for our 750,000 external users.
My main concern is to have +750,000 database user accounts that will be unused most of the time and eventually could make a mess with our internal users.
Someone have a similiar experience with this amount of users and how did you deal with it?
Best regards.
Off the top of my head..
Make sure that whatever outward facing boxes are few in number.
For the boxes that can connect to the database - make them purely
authentication or get/put for the data. don't run the web server on the databases or on the same LAN segment.
If possible encrypt communications from the client to the database so that if any of your intermediate hops get rooted they'll only see junk.
Use a firewall to ensure that only the bare minimum can get through.
For validating authentication, don't let their 'real' password get off the web server. Keep it hashed, San Diego!