ldap group filter

crzrobot mateivan at yahoo.com
Sun May 8 17:19:14 CEST 2011 

Hi Phil,
Thank You for the response. Your input helps a lot.

I did the modifications you suggested but the fetching of  the variable is done too late. When the checking of the group is done, the %{control:Ldap-UID} comes empty, but is fetched later. If you see bellow the freeradius output.

There could be a possibility that   %{control:Ldap-UID} be filled before the group test?


Thank You again.
  
  [ldap] Entering ldap_groupcmp()

[files] expand: ou=people,DC=home,DC=net -> ou=people,DC=home,DC=net
[files] expand: %{Stripped-User-Name} -> 
[files] ... expanding second conditional
[files] expand: %{User-Name} -> test01
[files] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test01)
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to localhost:389, authentication 0
  [ldap] bind as cn=admin,dc=home,dc=net/test123 to localhost:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in ou=people,DC=home,DC=net, with filter (uid=test01)
  [ldap] ldap_release_conn: Release Id: 0
[files] expand: (uniquemember=uidNumber=%{control:Ldap-UID},ou=people,dc=home,dc=net) -> (uniquemember=uidNumber=,ou=people,dc=home,dc=net)
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=group1,ou=group,dc=home,dc=net, with filter (uniquemember=uidNumber=,ou=people,dc=home,dc=net)
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group cn=group1,ou=group,dc=home,dc=net not found or user is not a member.
++[files] returns noop
[ldap] performing user authorization for test01
[ldap] expand: %{Stripped-User-Name} -> 
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> test01
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test01)
[ldap] expand: ou=people,DC=home,DC=net -> ou=people,DC=home,DC=net
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=people,DC=home,DC=net, with filter (uid=test01)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] uidNumber -> Ldap-UID == 30001 <--------- here is fetched --------------
  [ldap] userPassword -> Password-With-Header == "{SSHA}5Va5FraqFtiFvnYULYP9me/OxLN0lh4P"
[ldap] looking for reply items in directory...
[ldap] Setting Auth-Type = LDAP
[ldap] user test01 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop



________________________________
From: Phil Mayers [via FreeRadius] <ml-node+4379760-567345519-206427 at n5.nabble.com>
To: crzrobot <mateivan at yahoo.com>
Sent: Sunday, 8 May 2011, 12:29
Subject: Re: ldap group filter


On 05/08/2011 10:32 AM, crzrobot wrote: 

> Sry for the double posting. 
> Hi, 
> Recently I implemented an radius authentication using the ldap module. 
> Next step is do control the users by groups and I want to ask how could i 
> setup the group filter if i have this kind of configuration for the groups 
> on the LDAP servers. I tried to google it but no luck with useful results. 
> The user authentication is done by uid. 
> 
> Thank You for your help 
> 
> dn: cn=group1, ou=group,dc=home,dc=net 
> objectclass: groupOfUniqueNames 
> gidNumber: 30000 
> cn: group1 
> uniquemember: uidNumber=30001, ou=people,dc=home,dc=net 
> uniquemember: uidNumber=30002, ou=people,dc=home,dc=net 
> uniquemember: uidNumber=30003, ou=people,dc=home,dc=net 
> 
It's been a long time, but I think this is invalid LDAP data. The 
uniquemember value should be a valid DN. 

You probably could make this work in FreeRADIUS, but you should fix your 
LDAP schema. 

You'll need to do the following: 

  1. Define a local "uid" attribute in raddb/dictionary e.g. 

ATTRIBUTE Ldap-UID 3000 integer 

  2. Define a mapping in ldap.attrmap from LDAP to radius for the uid e.g 

checkItem Ldap-UID uidNumber 

  3. Update your group query e.g. 

groupmembership_filter = \ 
  "(uniquemember=uidNumber=%{control:Ldap-UID},ou=people,dc=home,dc=net} 

...but it's hacky and nasty - what if the path after the RDN varies? Fix 
your LDAP schema to be right and this will just work 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


________________________________
 
If you reply to this email, your message will be added to the discussion below:http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4379760.html 
To unsubscribe from ldap group filter, click here.

--
View this message in context: http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4380082.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110508/0d345bb1/attachment.html>

More information about the Freeradius-Users mailing list