LDAP Users + OTP / Attribute Mapping

Question

LDAP Users + OTP / Attribute Mapping

TobiKr opened this issue 3 years ago · 5 comments

Hi,

we have an Active Directory Environment and sync users via LDAP into keycloak. All users have an OTP enrolled and I have a radius client that is using PAP as protocol. I was not able resolve the following issues:

LDAP users are not able to login with LDAP PW + OTP in general. Is this combination supported?
How can we inject user attributes into the RADIUS response? I would like to forward a specific group name to the radius client to map firewall permissions. The radius response does not contain any attributes
Is there any way to restrict radius logins to a specific role/group?

Thanks
Tobias

Answer 1 · 2021-09-14T13:28:27.000Z

HI @TobiKr

LDAP users are not able to login with LDAP PW + OTP in general. Is this combination supported?

LDAP PW + OTP - supported only for PAP RADIUS protocol https://uk.wikipedia.org/wiki/Password_Authentication_Protocol

How can we inject user attributes into the RADIUS response? I would like to forward a specific group name to the radius client to map firewall permissions. The radius response does not contain any attributes

You can do this assign radius attribute to Keycloak Role, Group, Authorization Resource or directly to user.
For example:

Here the "Microtik-group" radius attribute with the "full" value assigned to the "ADMIN" role, so all users with the "ADMIN" role receive this radius attribute in the response.

Is there any way to restrict radius logins to a specific role/group?

assign attribute "REJECT" with any value to Role, Group, Authorization Resource

Answer 2 · 2021-09-18T17:14:42.000Z

Thanks for your quick reply @vzakharchenko !

LDAP + OTP: we are using PAP already. Is there something beside the readme we have to consider? And is there any way to enforce a second factor to disallow login without MFA?
Attributes: I tried to add a key/value to the attribute map, but that key/value was not send with the accept-message. Is there any way to send the group memberships via RADIUS? We are using Fortinet as Vendor (Vendor ID 12356) and would like to send the group attribute (ID 1)

Thanks again :-)
Best
Tobias

Answer 3 · 2021-09-20T11:57:10.000Z

@TobiKr ,

if MFA is configured for the user or exist action "configured OTP" then user can only log in with the MFA.
About Attribute, you need to add dictionary to support "Fortinet". Example dictionary for ChilliSpot

Answer 4 · 2021-09-20T19:17:40.000Z

Hi @vzakharchenko,

I worked with @TobiKr on the same issue. So I am talking about the same setup.

We tried OTP logins via PAP:

users had OTP configured and OTP was working in Keycloak account console
Radius permissions were based on Keycloak roles (mapped to a group with assigned user)
We tried the same settings on local Keycloak groups+users and on LDAP imported groups+users.

In this setup only the local users worked if we set otp:true in radius.config and we couldn't find the reason for auth issues with ldap users. Standard user+password auth works also with radius for ldap users. But not with OTP.
Debug log of Keycloak instance doesn't show any helpful information.

The second issue is, that the local Keycloak users with enabled OTP were able to login with "" or only with "" as password. Your documentation says that's a feature behind the otp:true setting in radius.config. But OTP logins failed completely if we set this to false or keep default setting.

Do you have an idea for debugging?

Thank you,
Marcel

Answer 5 · 2021-09-21T07:35:35.000Z

Hi @Firewire2002 @TobiKr

I fixed issue with OTP,
and added example LDAP with OTP password: https://github.com/vzakharchenko/keycloak-radius-plugin/blob/master/Examples/LdapOtpExample/README.md

@TobiKr
Also added a way how to import a dictionary from file: example for Fortinet: https://github.com/vzakharchenko/keycloak-radius-plugin#add-custom-radius-dictionaryexample-for-fortinet

Thanks for issue report