Conditional attributes with AD
Scott McLane Gardner
sgardne at uark.edu
Mon Mar 12 22:07:23 CET 2012
Okay, I am a couple steps closer, but still having trouble. My radius
server is saying my test user is not in the group I'm filtering for,
however I know that it is. My sites-available/default config looks like:
authorize
...
ldap
if (Ldap-Group == "PWHC Secure Wireless") {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 456
}
}
...
And my modules/ldap config looks like:
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "adserver.example.com"
identity = "cn=admin,ou=users,dc=example,dc=com"
password = adminpass
basedn = "ou=users,dc=example,dc=com"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
...
And I'm receiving the following log messages:
[ldap] performing user authorization for username
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> username
[ldap] expand: (sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(sAMAccountName=username)
[ldap] expand: ou=users,dc=example,dc=com -> ou=users,dc=example,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to adserver.uark.edu:389, authentication 0
[ldap] bind as cn=netoc,ou=users,dc=example,dc=com/password to
adserver.uark.edu:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=users,dc=example,dc=com, with filter
(sAMAccountName=username)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user username authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (Ldap-Group == "PWHC Secure Wireless")
[ldap] Entering ldap_groupcmp()
expand: ou=usersusers,dc=example,dc=com -> ou=users,dc=example,dc=com
expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
fUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(
uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=users,dc=example,dc=com, with filter
(&(memberOf=PWHC Secure
Wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniq
ueNames)(uniquemember=))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group PWHC Secure Wireless not found or user is
not a member.
? Evaluating (Ldap-Group == "PWHC Secure Wireless") -> FALSE
++? if (Ldap-Group == "PWHC Secure Wireless") -> FALSE
It looks to me like it's binding and searching and deciding that I'm not a
member of that group, however I know that I am because if I do a
command-line ldapsearch it shows that I'm a member of that group.
# ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D
cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf
# extended LDIF
#
# LDAPv3
# base <ou=users,dc=example,dc=com> with scope subtree
# filter: cn=username
# requesting: memberOf
#
# username, Users, example.com
dn: CN=username,OU=users,dc=example,dc=com
memberOf: CN=PWHC Secure Wireless,OU=PWHC,dc=example,dc=com
memberOf: CN=UA: SecondaryAccount,OU=ManagedGroups,OU=Special
Accounts,dc=example
,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Can anyone tell me what I'm doing wrong?
Thanks,
Scott
More information about the Freeradius-Users
mailing list