Skip to content

Release v1.3.4

Latest
Latest
Compare
Choose a tag to compare
@phaupt phaupt released this 08 Dec 12:32
1.3.4
159904b
This commit was signed with the committer’s verified signature.
phaupt Philipp Haupt
GPG key ID: 5DE5884E2CFEBEA1
Learn about vigilant mode.

Change Log

  • CR-1010 Allow geofencing based on user's AD group memberOf
  • Upgrade to .NET 8.0 with long-term support (LTS) until Nov. 2026

New Configuration section
If you have no REDIS, add the following configuration to your env file:

CustomerConfigs__0__Ldap__Geofencing__Activate=true
CustomerConfigs__0__Ldap__Geofencing__GeofencingSearchBase=dc=mycompany,dc=ch
CustomerConfigs__0__Ldap__Geofencing__UserGeoGroupSearchFilter=(&(objectClass=groupOfNames)(member={userdn})(ou=geo-groups))
CustomerConfigs__0__Ldap__Geofencing__CountriesSearchFilter=(objectClass=country)
CustomerConfigs__0__Ldap__Geofencing__MinimalDeviceConfidence=0.7
CustomerConfigs__0__Ldap__Geofencing__MinimalLocationConfidence=0.7
CustomerConfigs__0__Ldap__Geofencing__FailAuthIfGroupMissing=true
CustomerConfigs__0__Ldap__Geofencing__BlacklistGroupPrefix=blacklist-
CustomerConfigs__0__Ldap__Geofencing__WhitelistGroupPrefix=whitelist-

Else, if you have a REDIS database, add the following JSON configuration inside the LDAP section:

  "Ldap": {
    ...
      "Geofencing":{
         "Activate":true,
         "GeofencingSearchBase":"dc=mycompany,dc=ch",
         "UserGeoGroupSearchFilter":"(&(objectClass=groupOfNames)(member={userdn})(ou=geo-groups))",
         "CountriesSearchFilter":"(objectClass=country)",
         "MinimalDeviceConfidence":0.7,
         "MinimalLocationConfidence":0.7,
         "FailAuthIfGroupMissing":true,
         "BlacklistGroupPrefix":"blacklist-",
         "WhitelistGroupPrefix":"whitelist-"
      }
    ...

How to setup AD whitelist (guideline)
To add a new country entry to an LDAP server using the command line, you'll need to create an LDIF (LDAP Data Interchange Format) file that contains the details of the entry you want to add, and then use the ldapadd command to add this entry to your LDAP directory. Here is a step-by-step guide.

First, create an LDIF file with the content of the new country entry. The content of the file should look like this.
add_country.ldif:

dn: c=CH,ou=countries,dc=mycompany,dc=ch
objectClass: country
c: CH

Create the Parent Entry if Necessary: If ou=countries doesn't exist, you'll need to create it first. You can do this by creating another LDIF file with the following content.
add_countries_ou.ldif:

dn: ou=countries,dc=mycompany,dc=ch
objectClass: organizationalUnit
ou: countries

You might also need to create a new organizational unit ou=geo-groups in your LDAP directory, you will need to create an LDIF file for this purpose and then use the ldapadd command to add it to your directory:
create_geo_groups_ou.ldif:

dn: ou=geo-groups,dc=mycompany,dc=ch
objectClass: organizationalUnit
ou: geo-groups

Run the ldapadd command to add this entry to your LDAP directory. You will need the appropriate credentials to authenticate to your LDAP server. The command should look something like this:

ldapadd -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f add_country.ldif
ldapadd -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f create_geo_groups_ou.ldif

To create a group entry that represents a whitelist of countries, with each member representing a country, you can follow these steps:
Create an LDIF file with the content for your group entry. Make sure the DN and the members listed in the file correspond to the actual entries in your LDAP directory.
add_whitelist_group.ldif:

dn: cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch
objectClass: groupOfNames
cn: whitelist-dach
member: c=CH,ou=countries,dc=mycompany,dc=ch
member: c=AT,ou=countries,dc=mycompany,dc=ch
member: c=DE,ou=countries,dc=mycompany,dc=ch

Use the ldapadd command to add this group entry to your LDAP directory.

ldapadd -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f add_whitelist_group.ldif

To add the user cn=alice,ou=users,dc=mycompany,dc=ch as a member of the group cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch, you need to modify the group entry in your LDAP directory. This involves creating an LDIF file that specifies the modification and then using the ldapmodify command to apply this change. Note: You may replace the "add:" with "delete:" to remove a user from the group.
modify_whitelist_group.ldif:

dn: cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch
changetype: modify
add: member
member: cn=alice,ou=users,dc=mycompany,dc=ch

Use the ldapmodify command to apply this modification to your LDAP directory.

ldapmodify -H ldap://ldap.mycompany.ch:389 -D "cn=admin,dc=mycompany,dc=ch" -w secret -f modify_whitelist_group.ldif

To check if the user cn=alice,ou=users,dc=mycompany,dc=ch has the cn=whitelist-dach group listed in their attributes, you can use the ldapsearch command to query the user's attributes from the LDAP server.

ldapsearch -LLL -H ldap://ldap.mycompany.ch:389 -b "cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch" -D "cn=admin,dc=mycompany,dc=ch" -w secret "objectClass=groupOfNames"

dn: cn=whitelist-dach,ou=geo-groups,dc=mycompany,dc=ch
objectClass: groupOfNames
cn: whitelist-dach
member: c=CH,ou=countries,dc=mycompany,dc=ch
member: c=AT,ou=countries,dc=mycompany,dc=ch
member: c=DE,ou=countries,dc=mycompany,dc=ch
member: cn=alice,ou=users,dc=mycompany,dc=ch

Checking and modifying Microsoft Active Directory schema:
Be careful while modifying the schema, this can alter the behavior of your systems.

A. Ensure "country" and "groupOfNames" classes exist:

Verification:

  • Open the Run dialog (Windows + R) and type mmc.exe.
  • Navigate to "File" -> "Add/Remove Snap-in" -> "Add" -> "Active Directory Schema."
  • Browse the "Classes" directory to confirm the presence of the "country" and "groupOfNames" classes.

Creation (if not present):

  • If the classes are not present, go to the "Action" tab to create them.
  • Add "country" and "groupOfNames" classes as needed.

B. Add new superiors to "country" and "groupOfNames" classes:

  • In the "Relationship" tab of the "country" class properties: add "organisationUnit" as a possible superior.
  • In the "Relationship" tab of the "groupOfNames" class properties: add "organisationUnit" and "user" as possible superiors.

C. Make "country" and "groupOfNames" browsable:

  • In the "General" tab of the "country" class properties: check the case "Show object of this class while browsing."
  • In the "General" tab of the "groupOfNames" class properties: check the case "Show object of this class while browsing."

Following these steps enables you to:

  • Create country entries, geo-groups with specific countries, and add users as members of the geo-groups.
  • Perform these actions using command line, PowerShell, and the Active Directory GUI.

Docker Image
https://hub.docker.com/r/mobileidch/mid-radius-rig

Assets 2
Loading