ahaenggli / AzureAD-LDAP-wrapper

LDAP-Wrapper for 'microsoft 365' work or school accounts/users (former 'office 365' - via Entra ID, former AzureAD without AADDS)
https://ahaenggli.github.io/AzureAD-LDAP-wrapper/
MIT License
121 stars 30 forks source link

Synology Radius with AzureAD LDAP wrapper #56

Closed ullerdk closed 9 months ago

ullerdk commented 1 year ago

Trying to use Synology Radius along with Azure AD wrapper for 802.1x WiFi auth against Azure AD accounts. But it is not working. I see all Azure AD user accounts under LDAP users.

I see this in the Synology Radius log:

2023-06-20 10:22:24 | Auth | (23) Login incorrect (ldap: Failed performing search: Can't contact LDAP server): [username] (from client Unifi2 port 0 cli EE-E0-96-F3-61-2F) 2023-06-20 10:22:24 | Auth | (23) Invalid user (ldap: Failed performing search: Can't contact LDAP server): [username] (from client Unifi2 port 0 cli EE-E0-96-F3-61-2F) 2023-06-20 10:22:24 | Error | rlm_ldap (ldap): Failed to reconnect (0), no free connections are available 2023-06-20 10:22:24 | Error | rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials

Synology Radius works with Synology local accounts. LDAP account source is enabled in Synology Radius configuration.

ahaenggli commented 1 year ago

Do you see anything in the wrapper log? If not, could you set LDAP_DEBUG to true and try again?

ullerdk commented 1 year ago

Do you see anything in the wrapper log? If not, could you set LDAP_DEBUG to true and try again?

Yes, I see alot of references to an admin-account in Azure AD. But that is not the user I try to do 802.1x Wifi login.

AADwrapper

ahaenggli commented 1 year ago

Thank you. I have no idea how the radius actually works, I've never used it yet... I will try it out in July.

calummacleanmtl commented 1 year ago

I have the Synology Radius working with the LDAP wrapper under DSM 7.2 without any issues. From the log you've posted perhaps you've not got the LDAP user binding correct (that's the LDAP_BINDUSER variable that you have made up). Are you able to log into the DSM portal using you Azure AD credentials ?

ullerdk commented 1 year ago

Yes, I can login into the Synology with Azure AD credentials. So I guess then, the LDAP user binding is done correctly.

Fra: Calum MacLean @.> Sendt: 21. juni 2023 17:55 Til: ahaenggli/AzureAD-LDAP-wrapper @.> Cc: Ulrik S. Andreassen @.>; Author @.> Emne: Re: [ahaenggli/AzureAD-LDAP-wrapper] Synology Radius with AzureAD LDAP wrapper (Issue #56)

I have the Synology Radius working with the LDAP wrapper under DSM 7.2 without any issues. From the log you've posted perhaps you've not got the LDAP user binding correct (that's the LDAP_BINDUSER variable that you have made up). Are you able to log into the DSM portal using you Azure AD credentials ?

— Reply to this email directly, view it on GitHubhttps://github.com/ahaenggli/AzureAD-LDAP-wrapper/issues/56#issuecomment-1601099300, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ANID3DN3U6R4YIPBGPD3I5DXMMKMFANCNFSM6AAAAAAZM7KJBM. You are receiving this because you authored the thread.Message ID: @.***>

yuhongwei380 commented 1 year ago

You can post your azure-ldap configuration, I've configured radius in a Synology NAS and had no problems.

ahaenggli commented 1 year ago

Are you using the latest version of the wrapper? Are Synology Radius and the AzureAD LDAP-wrapper on the same NAS? Is the address of your LDAP server under Domain/LDAP "127.0.0.1" or the real IP of your NAS?

I don't have Unifi for testing, so I used radtest in my WSL (Windows Subsystem for Linux). Here's how I proceeded:

wholegamer commented 1 year ago

I too have run into this same issue.

LDAP Wrapper working. SAMBA working. LDAP users and SG's listed correctly. RADIUS working with local users, LDAP users incurring the same issue.

DSM 6.2.4-25556

Is it possibly a DSM versioning issue?

Testing with radtest locally on the NAS:

Local admin account: ash-4.3# /volume1/@appstore/RadiusServer/bin/radtest -x -t mschap admin "local admin pw" localhost 0 "secret key"

        User-Name = "admin"
        MS-CHAP-Password = "local admin pw"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "local admin pw"
        MS-CHAP-Challenge = [redacted]
        MS-CHAP-Response = [redacted]
Received Access-Accept Id 106 from 127.0.0.1:1812 to 0.0.0.0:0 length 84
        MS-CHAP-MPPE-Keys = [redacted]
        MS-MPPE-Encryption-Policy = Encryption-Allowed
        MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
ash-4.3#

LDAP Wrapper User (does work via DSM web and SMB): ash-4.3# /volume1/@appstore/RadiusServer/bin/radtest -x -t pap "user@tld" "user pw" localhost 0 "secret key"

        User-Name = "user@tld"
        User-Password = "user pw"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "user pw"
Received Access-Reject Id 112 from 127.0.0.1:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
ash-4.3#

Neither pap nor chap change anything with radtest.

ahaenggli commented 1 year ago

Maybe a DSM related issue... Can you see something in your radius log? grafik (Is there even a log before DSM 7 in the package?)

wholegamer commented 1 year ago

Maybe a DSM related issue... Can you see something in your radius log? grafik (Is there even a log before DSM 7 in the package?)

Yeah - I get this:

image
wholegamer commented 1 year ago

Yes, I can login into the Synology with Azure AD credentials. So I guess then, the LDAP user binding is done correctly. Fra: Calum MacLean @.> Sendt: 21. juni 2023 17:55 Til: ahaenggli/AzureAD-LDAP-wrapper @.> Cc: Ulrik S. Andreassen @.>; Author @.> Emne: Re: [ahaenggli/AzureAD-LDAP-wrapper] Synology Radius with AzureAD LDAP wrapper (Issue #56) I have the Synology Radius working with the LDAP wrapper under DSM 7.2 without any issues. From the log you've posted perhaps you've not got the LDAP user binding correct (that's the LDAP_BINDUSER variable that you have made up). Are you able to log into the DSM portal using you Azure AD credentials ? — Reply to this email directly, view it on GitHub<#56 (comment)>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ANID3DN3U6R4YIPBGPD3I5DXMMKMFANCNFSM6AAAAAAZM7KJBM. You are receiving this because you authored the thread.Message ID: @.***>

Did you ever get it working?

jwronken commented 10 months ago

Got the same issue, can authenticate into the Synology without issues but Radius throws 2 errors: Screenshot 2024-01-06 at 13 23 43

Screenshot 2024-01-06 at 13 23 48

This looks like the same error @wholegamer got? Any idea on how to resolve this as I would love to use AzureAD login with my AP's-

IHMS-IT commented 10 months ago

I have the same issue.

Screenshot 2024-01-10 at 3 00 06 PM

@ahaenggli Is there a fix for this? Or are we doing something wrong?

ahaenggli commented 10 months ago

I also got a UniFi AP and successfully tested it today. It's pretty nice to be able to use the Wi-Fi with the same credentials :) The steps are added in the docs.

@IHMS-IT Regarding the NT-Password issue, it seems that if a user hasn't logged into DSM before, Radius doesn't perform an actual bind/login on the LDAP server. Instead, it queries the entries searching for the user and password. Without a successful login before, the LDAP-wrapper doesn't have a hashed password for the user, causing the Radius request to fail.

jwronken commented 10 months ago

it seems that if a user hasn't logged into DSM before, Radius doesn't perform an actual bind/login on the LDAP server.

@ahaenggli that makes sense actually and I can confirm it solved the issue when I first login into DSM with Azure SSO and then connect to my Unifi AP. However, I am planning to use it offsite where users have no need to login into the DSM and just needs to use Radius. I guess there is no workaround for it (meaning, no initial login into DSM before the hashed password is stored. Adding a normal (non-azureSSO) user and password manually to the Syno LDAP (not using LDAP wrapper) doesn't show the issue, without logging into DSM Radius works for that user. LDAP Wrapper definitely is very interesting and I am sure I'll find some use for it (even if I need to ask every user to login in a remote DSM first, too bad those are > 150 at the moment ;) Thanks for developing this!

ahaenggli commented 10 months ago

I'm glad to hear that! :)

Unfortunately, there is no real workaround for the initial login in advance. Microsoft/Azure does not offer a way to query the user's password (or its hash). Therefore, a login via LDAP wrapper is required so that the hashed password can be saved. If you use the Syno LDAP, the password hash is stored directly there by creation of your users. So, no need to await a login to fetch its hash before. A prior login does not necessarily have to be via DSM - another tool that authenticates the users directly would also work (e.g. Authelia, Portainer, some filetransfer-tools or project-management-tools with ldap support, etc.).

noque-lind commented 10 months ago

@ahaenggli Could you eloborate on what the requirements would be of another tool to make sure the password is hashed?

I'm thinking of writing a small menubar app that asks the user for credentials and then authenticates first with LDAP (to hash the password), and then afterwards open the selected SMB path using open smb://username:password

ahaenggli commented 10 months ago

@noque-lind just a simple ldap bind request is all that's needed. for example in bash

#!/bin/bash

ldapHost="192.168.1.2"
ldapPort=389
username="uid=username@domain.tld"
password="the_password"

ldapsearch -x -H "ldap://$ldapHost:$ldapPort" -D "$username" -w "$password"
if [ $? -eq 0 ]; then
    echo "LDAP bind successful"
else
    echo "LDAP bind failed"
fi

or php

<?php

$ldapHost = '192.168.1.2';
$ldapPort = 389;
$username = 'uid=username@domain.tld';
$password = 'the_password';

$ldapConnection = ldap_connect("ldap://$ldapHost:$ldapPort");

if ($ldapConnection) {
    ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_bind($ldapConnection, $username, $password);

    if (ldap_errno($ldapConnection) === 0) {
        echo "LDAP bind successful\n";
    } else {
        echo "LDAP bind failed: " . ldap_error($ldapConnection) . "\n";
    }

    ldap_unbind($ldapConnection);
} else {
    echo "Unable to connect to LDAP server\n";
}
?>
danielboyer commented 9 months ago

Hi @ahaenggli, we are still having issues with the "mschap: FAILED: No NT-Password" error when trying to authenticate into the Synology network using RADIUS. We have verified that the account we are testing with has signed into the DSM. Are there any other reasons it could be failing? We have verified that the RADIUS setup works with a local account, it is just the LDAP ones.

ahaenggli commented 9 months ago

@danielboyer do you also use Samba? Does that work? If not, how did you connect your Synology to the ldap wrapper? Did you use the credentials of your superuser (environment variable LDAP_BINDUSER)?

danielboyer commented 9 months ago

@ahaenggli, Ahhhh, it looks like out ldap_BINDUSER is not configured correctly. So if I understand correctly, this is where we would insert root or Synology admin credentials?

ahaenggli commented 9 months ago

Briefly summarized: LDAP_BINDUSER are the ldap-wrapper internal admin-users. Synology needs an admin-user to connect (bind), so that it has access to all password hashes of the "real" EntraId accounts.

Detailed version:
Synology only connects to the LDAP wrapper as a client. From Synology's point of view, the LDAP wrapper is a complete LDAP server and has sovereignty over the user management. The LDAP wrapper has all your Entra users in it. Depending on the settings, the passwords are saved as a hash for successful logins. However, Alice should not be able to see Bob's password hash. Bob should not be able to query Alice's password hash, and so on. This is programmed in the wrapper for security reasons, so that nobody can "accidentally" access other people's passwords (hashes). The user logs on to Samba/Radius. The user does not interact directly with the LDAP wrapper. Samba/Radius loads the user and password hash from the LDAP wrapper and compares the values with the user input. In the case of Synology, Samba and Radius adopt the settings from the Synology<>LDAP-wrapper connection. For Samba/Radius to be able to do this, they need a user who is allowed to see ALL password hashes. LDAP_BINDUSER is used to define a superuser who can do everything within the LDAP wrapper. Classic example: root. If you now connect your Synology to the LDAP wrapper with this ldap-wrapper server internal superuser, Synology (and therefore all packages such as Samba or Radius) can see all password hashes. A login with Samba/Radius becomes possible.