search

jimdigriz / freeradius-oauth2-perl

FreeRADIUS OAuth2 (OpenID Connect) using rlm_perl
GNU Affero General Public License v3.0
129 stars 35 forks source link

Multiple domains in O365 #2

Closed EpicPilgrim closed 4 years ago

EpicPilgrim commented 8 years ago

This is a great little package, I got it up and running today in no time with your instructions and now have several applications authenticating via my on-prem RADIUS server to O365, including 802.1x. Well done!

One problem I've found though is that our org runs multiple domains in O365, in the one tenant. Using our "primary domain" (as far as Azure AD is concerned), no problems at all. Any user that uses a non-primary domain as their login though cannot use this RADIUS server for auth. We basically see this in RADIUS logs:

++[oauth2-perl] = notfound ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop

I've added the domain as a realm in the module's config file and also added to RADIUS's proxy.conf file, hasn't made a difference. Any thoughts what else I need to check? Obviously it's the same client ID with the same client secret as it's the same Azure AD, it's just not the primary domain.

Thanks!

Brett

jimdigriz commented 8 years ago 
                                                                                  When logging in, are you using the username@realm format? If you leave off the '@realm' the module uses your primary domain by default‎.If you are including the realm‎, it's something else and the next step would be to send me all of the FreeRADIUS debugging output to see whats going on.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        From: EpicPilgrimSent: Tuesday, 23 August 2016 13:54To: jimdigriz/freeradius-oauth2-perlReply To: jimdigriz/freeradius-oauth2-perlSubject: [jimdigriz/freeradius-oauth2-perl] Multiple domains in O365 (#2)This is a great little package, I got it up and running today in no time with your instructions and now have several applications authenticating via my on-prem RADIUS server to O365, including 802.1x. Well done!

One problem I've found though is that our org runs multiple domains in O365, in the one tenant. Using our "primary domain" (as far as Azure AD is concerned), no problems at all. Any user that uses a non-primary domain as their login though cannot use this RADIUS server for auth. We basically see this in RADIUS logs:

++[oauth2-perl] = notfound ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop

I've added the domain as a realm in the module's config file and also added to RADIUS's proxy.conf file, hasn't made a difference. Any thoughts what else I need to check? Obviously it's the same client ID with the same client secret as it's the same Azure AD, it's just not the primary domain.

Thanks!

Brett

—You are receiving this because you are subscribed to this thread.Reply to this email directly, view it on GitHub, or mute the thread.

{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/jimdigriz/freeradius-oauth2-perl","title":"jimdigriz/freeradius-oauth2-perl","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/jimdigriz/freeradius-oauth2-perl"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"Multiple domains in O365 (#2)"}],"action":{"name":"View Issue","url":"https://github.com/jimdigriz/freeradius-oauth2-perl/issues/2"}}}

EpicPilgrim commented 8 years ago

Just updating this for future reference for others. My problem is that Azure's Graph API only allows up to 999 results per query. This module attempts to verify that the username exists before attempting to authenticate with it, however it can only pull the first 999 results and we have over 4,000 users in Azure AD. I attempted modifying the code to loop through the pages of results until it reaches the end, however the process of requesting and receiving all 4,000+ records took in excess of 30 seconds which is outside what is acceptable (even though rlm_cache can cache it for a time, eventually it will have to be polled again). For the time being, I've just removed that check from the code. At a later stage I may work at developing the cache code further so that it isn't reliant on waiting to repopulate the list of users before completing authentication, e.g. via a cron job that polls it or via some other smart way of doing this! If I do then I'll be submitting a patch to Alex to include :)

jimdigriz commented 4 years ago

Closing this as my new branch walks the paging and uses delta queries and backgrounds the user/group updating task to not block/slow down authentications.

https://github.com/jimdigriz/freeradius-oauth2-perl/tree/fr3 nearly ready!

Due to limitations of FR3 and rlm_perl, the first request per realm/domain is going to still be slow but everything afterwards should be fast.