Authenticating groups via LDAP

John Maher john at chem.umass.edu
Fri May 21 16:44:46 CEST 2010 


On 05/21/2010 01:26 AM, John Dennis wrote:

John,

Thank you very much for responding with such detail and clarity.  And
thanks for pointing me to ldap_howto.txt.  I'll be studying this to
understand it better.

Please see below for other comments.

> As an aside one of the very first things I noticed looking at your debug
> output is the ldap module was built to use the Novell eDirectory server
> (which is a compile time switch). Unless you're using the Novell
> eDirectory server rather than a generic directory server things are
> going to behave a bit weird. Any idea why it's built to use Novell?
> Anyway that's probably not the crux of your problem at the moment, just
> a data point. I don't know why the eDirectory #ifdef's are even in
> rlm_ldap, to be honest they seem to be "odd" to put it politely.

I have no idea why that is the case.  I did the following to create and
install freeradius on Ubuntu (as suggested by this page:
http://wiki.freeradius.org/Build#Building_Debian_packages):

$ tar zxf freeradius-server-2.X.Y.tar.gz
$ cd freeradius-server-2.X.Y
$ fakeroot dpkg-buildpackage -b -uc     
$ sudo dpkg -i ../freeradius_2.X.Y-0_i386.deb

> I don't have time at the moment to fully analyze what's going on in your
> set up but one of the very first things I noticed was this:
>
>
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
>
> ->
>
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
>
>
> Notice something?

I didn't notice what you pointed out, but it's telling.  Actually, the
thing I noticed and am confused by is that the filter I have in
/etc/freeradius/modules/ldap (is that simply the configuration file for
rlm_ldap?) is this:

groupmembership_filter =
"(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))"

So why is the filter in the output this:

(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))

That filter is VERY similar to the commented out line in
/etc/freeradius/modules/ldap.  It appears to be hard coded in rlm_ldap,
which is not likely, right?  That commented out line is this:

# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"

I'm going to think through your other comments now.

Thanks again.

John



-- 
* - - - - * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - *
John Maher
Senior Systems and Network Administrator
Department of Biochemistry & Molecular Biology and
Department of Chemistry
University of Massachusetts - Amherst
voice: 413-577-3120  fax: 413-545-4490
OpenPGP Key ID: 0x2970A144
Want your email to be private?  http://enigmail.mozdev.org

More information about the Freeradius-Users mailing list