LDAP group-checking - missing user-dn in filter

Jason Long jlong at messiah.edu
Mon Aug 18 17:57:08 CEST 2008 

This morning I'm attempting to upgrade my FreeRadius install from 1.1.7 to
2.0.5.
I'm having an issue with LDAP group-checking.


Here's my scenario:
I authenticate users with LDAP (eDirectory). In addition, I do some LDAP
group-checking to determine which RADIUS attributes I want to return to the
network device. This happens in the "users" file, with lines like:

DEFAULT Ldap-Group == students
        Aruba-User-Role = student

DEFAULT Ldap-Group == employees
        Aruba-User-Role = employee


This was working in 1.1.7. But now I'm on 2.0.5, and after converting the
config files, this is how it is behaving:



    users: Matched entry DEFAULT at line 13
rlm_ldap: Entering ldap_groupcmp()
        expand: t=mc-tree -> t=mc-tree
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand:
(&(objectClass=person)(uid=%{Stripped-User-Name:-%{User-Name}})) ->
(&(objectClass=person)(uid=georget))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap.messiah.edu:389, authentication 0
rlm_ldap: setting TLS CACert File to
/usr/local/radius2/etc/raddb/certs/messiah-ca.crt
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: starting TLS
rlm_ldap: bind as cn=ldap-radius,o=mc/*** to ldap.messiah.edu:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in t=mc-tree, with filter
(&(objectClass=person)(uid=georget))
rlm_ldap: ldap_release_conn: Release Id: 0
        expand: (&(objectClass=groupOfNames)(member=%{Ldap-UserDn})) ->
(&(objectClass=groupOfNames)(member=))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in t=mc-tree, with filter
(&(cn=students)(&(objectClass=groupOfNames)(member=)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group students not found or user is not a member.
rlm_ldap: Entering ldap_groupcmp()
        expand: t=mc-tree -> t=mc-tree
        expand: (&(objectClass=groupOfNames)(member=%{Ldap-UserDn})) ->
(&(objectClass=groupOfNames)(member=))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in t=mc-tree, with filter
(&(cn=employees)(&(objectClass=groupOfNames)(member=)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group employees not found or user is not a
member.
rlm_ldap: Entering ldap_groupcmp()
++[files] returns ok




I can see the issue here... the filter is messed up.
        expand: (&(objectClass=groupOfNames)(member=%{Ldap-UserDn})) ->
(&(objectClass=groupOfNames)(member=))

The search filter should contain something like
(member=cn=georget,ou=student,o=mc), but instead it has (member=).

Is %{Ldap-UserDn} not correct? I got it right out of the sample
configuration...

Jason

More information about the Freeradius-Users mailing list