Releases · MobileID-Strong-Authentication/mid-radius-rig

Change Log

CR-1010 Allow geofencing based on user's AD group memberOf
Upgrade to .NET 8.0 with long-term support (LTS) until Nov. 2026

New Configuration section
If you have no REDIS, add the following configuration to your env file:

CustomerConfigs__0__Ldap__Geofencing__Activate=true
CustomerConfigs__0__Ldap__Geofencing__GeofencingSearchBase=dc=mycompany,dc=ch
CustomerConfigs__0__Ldap__Geofencing__UserGeoGroupSearchFilter=(&(objectClass=groupOfNames)(member={userdn})(ou=geo-groups))
CustomerConfigs__0__Ldap__Geofencing__CountriesSearchFilter=(objectClass=country)
CustomerConfigs__0__Ldap__Geofencing__MinimalDeviceConfidence=0.7
CustomerConfigs__0__Ldap__Geofencing__MinimalLocationConfidence=0.7
CustomerConfigs__0__Ldap__Geofencing__FailAuthIfGroupMissing=true
CustomerConfigs__0__Ldap__Geofencing__BlacklistGroupPrefix=blacklist-
CustomerConfigs__0__Ldap__Geofencing__WhitelistGroupPrefix=whitelist-

Else, if you have a REDIS database, add the following JSON configuration inside the LDAP section:

  "Ldap": {
    ...
      "Geofencing":{
         "Activate":true,
         "GeofencingSearchBase":"dc=mycompany,dc=ch",
         "UserGeoGroupSearchFilter":"(&(objectClass=groupOfNames)(member={userdn})(ou=geo-groups))",
         "CountriesSearchFilter":"(objectClass=country)",
         "MinimalDeviceConfidence":0.7,
         "MinimalLocationConfidence":0.7,
         "FailAuthIfGroupMissing":true,
         "BlacklistGroupPrefix":"blacklist-",
         "WhitelistGroupPrefix":"whitelist-"
      }
    ...

How to setup AD whitelist (guideline)
To add a new country entry to an LDAP server using the command line, you'll need to create an LDIF (LDAP Data Interchange Format) file that contains the details of the entry you want to add, and then use the ldapadd command to add this entry to your LDAP directory. Here is a step-by-step guide.

First, create an LDIF file with the content of the new country entry. The content of the file should look like this.
add_country.ldif:

dn: c=CH,ou=countries,dc=mycompany,dc=ch
objectClass: country
c: CH

Create the Parent Entry if Necessary: If ou=countries doesn't exist, you'll need to create it first. You can do this by creating another LDIF file with the following content.
add_countries_ou.ldif:

dn: ou=countries,dc=mycompany,dc=ch
objectClass: organizationalUnit
ou: countries

You might also need to create a new organizational unit ou=geo-groups in your LDAP directory, you will need to create an LDIF file for this purpose and then use the ldapadd command to add it to your directory:
create_geo_groups_ou.ldif:

dn: ou=geo-groups,dc=mycompany,dc=ch
objectClass: organizationalUnit
ou: geo-groups

Run the ldapadd command to add this entry to your LDAP directory. You will need the appropriate credentials to authenticate to your LDAP server. The command should look something like this:

ldapadd -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f add_country.ldif
ldapadd -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f create_geo_groups_ou.ldif

To create a group entry that represents a whitelist of countries, with each member representing a country, you can follow these steps:
Create an LDIF file with the content for your group entry. Make sure the DN and the members listed in the file correspond to the actual entries in your LDAP directory.
add_whitelist_group.ldif:

dn: cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch
objectClass: groupOfNames
cn: whitelist-dach
member: c=CH,ou=countries,dc=mycompany,dc=ch
member: c=AT,ou=countries,dc=mycompany,dc=ch
member: c=DE,ou=countries,dc=mycompany,dc=ch

Use the ldapadd command to add this group entry to your LDAP directory.

ldapadd -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f add_whitelist_group.ldif

To add the user cn=alice,ou=users,dc=mycompany,dc=ch as a member of the group cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch, you need to modify the group entry in your LDAP directory. This involves creating an LDIF file that specifies the modification and then using the ldapmodify command to apply this change. Note: You may replace the "add:" with "delete:" to remove a user from the group.
modify_whitelist_group.ldif:

dn: cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch
changetype: modify
add: member
member: cn=alice,ou=users,dc=mycompany,dc=ch

Use the ldapmodify command to apply this modification to your LDAP directory.

ldapmodify -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f modify_whitelist_group.ldif

To check if the user cn=alice,ou=users,dc=mycompany,dc=ch has the cn=whitelist-dach group listed in their attributes, you can use the ldapsearch command to query the user's attributes from the LDAP server.

ldapsearch -LLL -H ldap://ldap.mycompany.ch:389 -b "cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch" -D "cn=admin,dc=mycompany,dc=ch" -w secret "objectClass=groupOfNames"

dn: cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch
objectClass: groupOfNames
cn: whitelist-dach
member: c=CH,ou=countries,dc=mycompany,dc=ch
member: c=AT,ou=countries,dc=mycompany,dc=ch
member: c=DE,ou=countries,dc=mycompany,dc=ch
member: cn=alice,ou=users,dc=mycompany,dc=ch

Checking and modifying Microsoft Active Directory schema:
Be careful while modifying the schema, this can alter the behavior of your systems.

A. Ensure "country" and "groupOfNames" classes exist:

Verification:

Open the Run dialog (Windows + R) and type mmc.exe.
Navigate to "File" -> "Add/Remove Snap-in" -> "Add" -> "Active Directory Schema."
Browse the "Classes" directory to confirm the presence of the "country" and "groupOfNames" classes.

Creation (if not present):

If the classes are not present, go to the "Action" tab to create them.
Add "country" and "groupOfNames" classes as needed.

B. Add new superiors to "country" and "groupOfNames" classes:

In the "Relationship" tab of the "country" class properties: add "organisationUnit" as a possible superior.
In the "Relationship" tab of the "groupOfNames" class properties: add "organisationUnit" and "user" as possible superiors.

C. Make "country" and "groupOfNames" browsable:

In the "General" tab of the "country" class properties: check the case "Show object of this class while browsing."
In the "General" tab of the "groupOfNames" class properties: check the case "Show object of this class while browsing."

Following these steps enables you to:

Create country entries, geo-groups with specific countries, and add users as members of the geo-groups.
Perform these actions using command line, PowerShell, and the Active Directory GUI.

Docker Image
https://hub.docker.com/r/mobileidch/mid-radius-rig

Change Log

CR-1009 Add LDAP search scope configuration
CR-1008 Enhance LDAP log details (DEBUG level)
CR-1007 Support multiple username placeholder in search filter
CR-1006 Add LDAP referral configuration

Configuration changes

New Configuration parameters
Add the new configuration parameters to your env file:

CustomerConfigs__0__Ldap__FollowReferrals=false
CustomerConfigs__0__Ldap__DefaultSearchScope=LDAP_SCOPE_SUBTREE

in REDIS database (JSON configuration):

  "Ldap": {
    ...
    "FollowReferrals": false,
    "DefaultSearchScope": "LDAP_SCOPE_SUBTREE",
    ...

Search Filter
The search filter can be set to match more than one attribute and even look for your username in two or more attributes. The example can match a SAM account name like 'john.doe' but can also match a UPN like 'john.doe@company.ch'.

"UserSearchFilter": "(&(objectclass=person)(|(sAMAccountName={username})(userPrincipalName={username})))"

Docker Image
https://hub.docker.com/r/mobileidch/mid-radius-rig

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Releases: MobileID-Strong-Authentication/mid-radius-rig

Release v1.3.4

Release v1.2.1

Release v1.2