From d6fdc2d1c6dcf5d3b43d152e288b66f727e7cedd Mon Sep 17 00:00:00 2001 From: Ivan-Timofeev Date: Mon, 24 Jun 2024 13:26:36 +0300 Subject: [PATCH 1/2] =?UTF-8?q?=D0=92=D1=81=D0=B5=D0=B3=D0=B4=D0=B0=20?= =?UTF-8?q?=D0=BF=D1=80=D0=BE=D0=B2=D0=B5=D1=80=D1=8F=D1=82=D1=8C=20=D1=87?= =?UTF-8?q?=D0=BB=D0=B5=D0=BD=D1=81=D1=82=D0=B2=D0=BE=20=D0=BE=D1=82=20?= =?UTF-8?q?=D0=B8=D0=BC=D0=B5=D0=BD=D0=B8=20=D0=A2=D0=A3=D0=97=20https://t?= =?UTF-8?q?racker.yandex.ru/DEV-135?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../ActiveDirectory/ActiveDirectoryService.cs | 45 ++++++++++++------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/MultiFactor.Radius.Adapter/Services/ActiveDirectory/ActiveDirectoryService.cs b/MultiFactor.Radius.Adapter/Services/ActiveDirectory/ActiveDirectoryService.cs index a07d91f..4811f8d 100644 --- a/MultiFactor.Radius.Adapter/Services/ActiveDirectory/ActiveDirectoryService.cs +++ b/MultiFactor.Radius.Adapter/Services/ActiveDirectory/ActiveDirectoryService.cs @@ -84,13 +84,8 @@ public bool VerifyCredentialAndMembership(PendingRequest request) try { - _logger.Debug("Verifying user '{User:l}' credential and status at {Domain:l}", user, _domain); - - using (var connection = _connectionFactory.Create(_domain, user.Name, request.Passphrase.Password)) - { - _logger.Information("User '{User:l}' credential and status verified successfully in {Domain:l}", user, _domain); - return VerifyMembership(request.Configuration, connection, _domain, user, request); - } + VerifyCredential(user, request); + return VerifyMembership(request.Configuration, user, request); } catch (LdapException lex) { @@ -193,17 +188,25 @@ public bool ChangePassword(PendingRequest request, string currentPassword, out b return false; } - private bool VerifyMembership(ClientConfiguration clientConfig, LdapConnection connection, string userDomain, LdapIdentity user, PendingRequest request) + private bool VerifyMembership(ClientConfiguration clientConfig, LdapIdentity user, PendingRequest request) { - var domain = LdapIdentity.FqdnToDn(userDomain); - var schema = _forestMetadataCache.Get( - clientConfig.Name, - domain, - () => new ForestSchemaLoader(clientConfig, connection, _logger).Load(domain)); - var profile = new ProfileLoader(schema, _logger).LoadProfile(clientConfig, connection, domain, user); - if (profile == null) + var domain = LdapIdentity.FqdnToDn(_domain); + + LdapProfile profile; + + using (var connection = _connectionFactory.CreateAsCurrentProcessUser(_domain)) { - return false; + var forestSchema = _forestMetadataCache.Get( + clientConfig.Name, + domain, + () => new ForestSchemaLoader(clientConfig, connection, _logger).Load(domain)); + + profile = new ProfileLoader(forestSchema, _logger).LoadProfile(clientConfig, connection, domain, user); + + if (profile == null) + { + return false; + } } //user must be member of security group @@ -264,6 +267,16 @@ private bool VerifyMembership(ClientConfiguration clientConfig, LdapConnection c return true; } + private void VerifyCredential(LdapIdentity user, PendingRequest request) + { + _logger.Debug("Verifying user '{User:l}' credential and status at {Domain:l}", user, _domain); + + using (_ = _connectionFactory.Create(_domain, user.Name, request.Passphrase.Password)) + { + _logger.Information("User '{User:l}' credential and status verified successfully in {Domain:l}", user, _domain); + } + } + private bool IsMemberOf(LdapProfile profile, string group) { return profile.MemberOf?.Any(g => g.ToLower() == group.ToLower().Trim()) ?? false; From 29d7faf4e8449b07a7d81197d03dd31a19a33501 Mon Sep 17 00:00:00 2001 From: Ivan-Timofeev Date: Thu, 27 Jun 2024 12:44:10 +0300 Subject: [PATCH 2/2] Add another section for RadiusRouter.HandleRequest --- .../Server/RadiusRouter.cs | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/MultiFactor.Radius.Adapter/Server/RadiusRouter.cs b/MultiFactor.Radius.Adapter/Server/RadiusRouter.cs index 4dfee8e..da2c47f 100644 --- a/MultiFactor.Radius.Adapter/Server/RadiusRouter.cs +++ b/MultiFactor.Radius.Adapter/Server/RadiusRouter.cs @@ -215,6 +215,7 @@ public async Task HandleRequest(PendingRequest request) if (request.AuthenticationState.SecondFactor == AuthenticationCode.Awaiting) { var code = await ProcessSecondAuthenticationFactor(request); + if (code == PacketCode.AccessChallenge) { request.ResponseCode = request.AuthenticationState.GetResultPacketCode(); @@ -223,7 +224,17 @@ public async Task HandleRequest(PendingRequest request) return; } - if (code != PacketCode.AccessAccept) + if (code == PacketCode.AccessAccept) + { + _logger.Information("Second factor accepted for user '{user:l}' from {host:l}:{port}", + request.UserName, request.RemoteEndpoint.Address, request.RemoteEndpoint.Port); + request.AuthenticationState.SetSecondFactor(AuthenticationCode.Accept); + request.ResponseCode = request.AuthenticationState.GetResultPacketCode(); + CreateAndSendRadiusResponse(request); + return; + } + + if (code == PacketCode.AccessReject) { _logger.Information("Second factor rejected for user '{user:l}' from {host:l}:{port}", request.UserName, request.RemoteEndpoint.Address, request.RemoteEndpoint.Port); @@ -232,11 +243,6 @@ public async Task HandleRequest(PendingRequest request) CreateAndSendRadiusResponse(request); return; } - - request.AuthenticationState.SetSecondFactor(AuthenticationCode.Accept); - request.ResponseCode = request.AuthenticationState.GetResultPacketCode(); - CreateAndSendRadiusResponse(request); - return; } request.ResponseCode = request.AuthenticationState.GetResultPacketCode();