Allow users from a specific AD group

Thu Sep 24 09:52:45 CEST 2009

Hi, I spent some time trying to put working together FR+AD and presently i'm
using ntlm to authenticate users through mschap against the AD. It is
working.

Next step is try to allow access only to specific users belonging to a Group
from the AD, but it is not working.

I post here the important i have configured untill now:

1. users file:

DEFAULT Ldap-Group != "wireless", Auth-Type := Reject

2. /usr/local/etc/raddb/sites-enabled/inner-tunnel and default:

# uncommented ldap from authorize function

3. /modules/ldap:

        server = "192.168.1.10"
        port = 389
        identity = "cn=Administrator,cn=users,dc=DOT1X,dc=local"
        password = 123456
        basedn = "dc=DOT1X,dc=local"
        filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
        base_filter = "(objectclass=radiusprofile)"
       groupmembership_filter =
"(|(&(objectClass=group)(member=%{Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{Ldap-UserDn})))"
       groupmembership_attribute = memberOf

Do you have any idea what can be missing?

I send also the debub:

ldap_chase_v3referral: msgid 15, url
"ldap://dot1x.local/CN=Configuration,DC=dot1x,DC=local"
ldap_send_server_request
ldap_new_connection 0 1 1
ldap_int_open_connection
ldap_connect_to_host: TCP dot1x.local:389
ldap_new_socket: 15
ldap_prepare_socket: 15
ldap_connect_to_host: Trying 192.168.1.10:389
ldap_pvt_connect: fd: 15 tm: 1 async: 0
ldap_ndelay_on: 15
ldap_int_poll: fd: 15 tm: 1
ldap_is_sock_ready: 15
ldap_ndelay_off: 15
ldap_pvt_connect: 0
anonymous rebind via ldap_sasl_bind("")
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x818f1f8 msgid 25
wait4msg ld 0x818f1f8 msgid 25 (timeout 100000 usec)
wait4msg continue ld 0x818f1f8 msgid 25 all 1
** ld 0x818f1f8 Connections:
* host: dot1x.local  port: 0
  refcnt: 2  status: Connected
  last used: Wed Sep 23 21:25:55 2009
  rebind in progress
    queue is empty

* host: DomainDnsZones.dot1x.local  port: 0
  refcnt: 1  status: Connected
  last used: Wed Sep 23 21:25:55 2009

* host: 192.168.1.10  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Sep 23 21:25:55 2009

** ld 0x818f1f8 Outstanding Requests:
 * msgid 25,  origid 25, status InProgress
   outstanding referrals 0, parent count 0
 * msgid 22,  origid 15, status InProgress
   outstanding referrals 0, parent count 3
 * msgid 18,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 2
 * msgid 16,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 1
 * msgid 15,  origid 15, status ChasingRefs
   outstanding referrals 2, parent count 3
  ld 0x818f1f8 request count 5 (abandoned 0)
** ld 0x818f1f8 Response Queue:
 * msgid 15,  type 115
   chained responses:
  * msgid 15,  type 115
  * msgid 15,  type 115
  ld 0x818f1f8 response count 1
ldap_chkResponseList ld 0x818f1f8 msgid 25 all 1
ldap_chkResponseList returns ld 0x818f1f8 NULL
ldap_int_select
read1msg: ld 0x818f1f8 msgid 25 all 1
read1msg: ld 0x818f1f8 msgid 25 message type bind
read1msg: ld 0x818f1f8 0 new referrals
read1msg:  mark request completed, ld 0x818f1f8 msgid 25
request done: ld 0x818f1f8 msgid 25
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 25, msgid 25)
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
ldap_parse_result
ldap_msgfree
read1msg:  search ref chased, mark request chasing refs, id = 15
adding response ld 0x818f1f8 msgid 15 type 115:
wait4msg ld 0x818f1f8 3 s 972321 us to go
wait4msg continue ld 0x818f1f8 msgid 15 all 1
** ld 0x818f1f8 Connections:
* host: dot1x.local  port: 0
  refcnt: 1  status: Connected
  last used: Wed Sep 23 21:25:55 2009

* host: DomainDnsZones.dot1x.local  port: 0
  refcnt: 1  status: Connected
  last used: Wed Sep 23 21:25:55 2009

* host: 192.168.1.10  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Sep 23 21:25:55 2009

** ld 0x818f1f8 Outstanding Requests:
 * msgid 24,  origid 15, status InProgress
   outstanding referrals 0, parent count 4
 * msgid 22,  origid 15, status InProgress
   outstanding referrals 0, parent count 3
 * msgid 18,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 2
 * msgid 16,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 1
 * msgid 15,  origid 15, status ChasingRefs
   outstanding referrals 2, parent count 4
  ld 0x818f1f8 request count 5 (abandoned 0)
** ld 0x818f1f8 Response Queue:
 * msgid 15,  type 115
   chained responses:
  * msgid 15,  type 115
  * msgid 15,  type 115
  * msgid 15,  type 115
  ld 0x818f1f8 response count 1
ldap_chkResponseList ld 0x818f1f8 msgid 15 all 1
ldap_chkResponseList returns ld 0x818f1f8 NULL
ldap_int_select
read1msg: ld 0x818f1f8 msgid 15 all 1
read1msg: ld 0x818f1f8 msgid 22 message type search-result
ldap_chase_referrals
read1msg:  V2 referral chased, mark request completed, id = 22
read1msg: ld 0x818f1f8 0 new referrals
read1msg:  mark request completed, ld 0x818f1f8 msgid 22
merged parent (id 15) error info:  result errno 1, error <>, matched <>
ldap_free_connection 0 1
ldap_send_unbind
ldap_free_connection: actually freed
wait4msg ld 0x818f1f8 3 s 972094 us to go
wait4msg continue ld 0x818f1f8 msgid 15 all 1
** ld 0x818f1f8 Connections:
* host: dot1x.local  port: 0
  refcnt: 1  status: Connected
  last used: Wed Sep 23 21:25:55 2009

* host: 192.168.1.10  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Wed Sep 23 21:25:55 2009

** ld 0x818f1f8 Outstanding Requests:
 * msgid 24,  origid 15, status InProgress
   outstanding referrals 0, parent count 4
 * msgid 22,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 3
 * msgid 18,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 2
 * msgid 16,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 1
 * msgid 15,  origid 15, status ChasingRefs
   outstanding referrals 1, parent count 4
  ld 0x818f1f8 request count 5 (abandoned 0)
** ld 0x818f1f8 Response Queue:
 * msgid 15,  type 115
   chained responses:
  * msgid 15,  type 115
  * msgid 15,  type 115
  * msgid 15,  type 115
  ld 0x818f1f8 response count 1
ldap_chkResponseList ld 0x818f1f8 msgid 15 all 1
ldap_chkResponseList returns ld 0x818f1f8 NULL
ldap_int_select
read1msg: ld 0x818f1f8 msgid 15 all 1
read1msg: ld 0x818f1f8 msgid 15 message type search-result
read1msg: ld 0x818f1f8 0 new referrals
read1msg:  mark request completed, ld 0x818f1f8 msgid 15
ldap_free_connection 0 1
ldap_free_connection: refcnt 1
wait4msg ld 0x818f1f8 3 s 971737 us to go
wait4msg continue ld 0x818f1f8 msgid 15 all 1
** ld 0x818f1f8 Connections:
* host: dot1x.local  port: 0
  refcnt: 1  status: Connected
  last used: Wed Sep 23 21:25:55 2009

* host: 192.168.1.10  port: 389  (default)
  refcnt: 1  status: Connected
  last used: Wed Sep 23 21:25:55 2009

** ld 0x818f1f8 Outstanding Requests:
 * msgid 24,  origid 15, status InProgress
   outstanding referrals 0, parent count 4
 * msgid 22,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 3
 * msgid 18,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 2
 * msgid 16,  origid 15, status RequestCompleted
   outstanding referrals 0, parent count 1
 * msgid 15,  origid 15, status RequestCompleted
   outstanding referrals 1, parent count 4
  ld 0x818f1f8 request count 5 (abandoned 0)
** ld 0x818f1f8 Response Queue:
 * msgid 15,  type 115
   chained responses:
  * msgid 15,  type 115
  * msgid 15,  type 115
  * msgid 15,  type 115
  ld 0x818f1f8 response count 1
ldap_chkResponseList ld 0x818f1f8 msgid 15 all 1
ldap_chkResponseList returns ld 0x818f1f8 NULL
ldap_int_select
read1msg: ld 0x818f1f8 msgid 15 all 1
read1msg: ld 0x818f1f8 msgid 24 message type search-result
ldap_chase_referrals
read1msg:  V2 referral chased, mark request completed, id = 24
read1msg: ld 0x818f1f8 0 new referrals
read1msg:  mark request completed, ld 0x818f1f8 msgid 24
merged parent (id 15) error info:  result errno 1, error <00000000: LdapErr:
DSID-0C090627, comment: In order to perform this operation a successful bind
must be completed on the connection., data 0, vece>, matched <>
request done: ld 0x818f1f8 msgid 15
res_errno: 1, res_error: <00000000: LdapErr: DSID-0C090627, comment: In
order to perform this operation a successful bind must be completed on the
connection., data 0, vece>, res_matched: <>
ldap_free_request (origid 15, msgid 15)
ldap_free_request (origid 15, msgid 24)
ldap_free_request (origid 15, msgid 22)
ldap_free_request (origid 15, msgid 18)
ldap_free_request (origid 15, msgid 16)
ldap_free_connection 0 1
ldap_send_unbind
ldap_free_connection: actually freed
adding response ld 0x818f1f8 msgid 15 type 101:
ldap_parse_result
ldap_err2string
rlm_ldap: ldap_search() failed: Operations error
ldap_msgfree
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> dot1x\user3
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 66 to 192.168.1.7 port 1645
Waking up in 4.9 seconds 
-- 
View this message in context: http://www.nabble.com/Allow-users-from-a-specific-AD-group-tp25540156p25540156.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.