Dynamic vlan with ldap group fail

Sautron Nick sautronnick at yahoo.fr
Tue Mar 24 13:22:19 CET 2015


Hello everyone, I have a problem concerning the dynamic assignment of VLAN according to ldap groups.

 Here is my shemas ldap:

 dc = company, dc = com
      ou = eduroam
             ou = groups
                  cn = service
                  cn = personal
                  cn = student
                  cn = users

my users files : 

DEFAULT Ldap-Group == "service"
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 5


DEFAULT Ldap-Group == "personnal"
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 6


DEFAULT Ldap-Group == "student"
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 7

DEFAULT Ldap-Group == "users"
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 8


modules/ldap files :

ldap {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "********"
        identity = "cn=admin,ou=eduroam,dc=company,dc=fr"
        password = ******
        
        basedn = "ou=People,dc=company,dc=fr"
        
        filter = "(&(Login=%{%{Stripped-User-Name}:-%{User-Name}})(dialupAccess=true))"

        base_filter = "(objectclass=radiusprofile)"

        #  How many connections to keep open to the LDAP server.
        #  This saves time over opening a new LDAP socket for
        #  every authentication request.
        ldap_connections_number = 5

        # seconds to wait for LDAP query to finish. default: 20
        timeout = 4

        #  seconds LDAP server has to process the query (server-side
        #  time limit). default: 20

............ #
        #  Group membership checking.  Disabled by default.
        #
         groupname_attribute = cn
        groupmembership_filter = "(&(Login=%{%{Stripped-User-Name}:-%{User-Name}})(isMemberOf=ou=groups,ou=eduroam,dc=company,dc=fr))"
      
        #groupmembership_attribute = radiusGroupName


freeradius -X
extract .....

[ldap] Entering ldap_groupcmp()
[files]         expand: ou=People,dc=****,dc=fr -> ou=People,dc=*****,dc=fr
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> *****
[files]         expand: (&(Login=%{%{Stripped-User-Name}:-%{User-Name}})(dialupAccess=true)) -> (&(Login=******)(dialupAccess=true))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=*******,dc=fr, with filter (&(Login=*****)(dialupAccess=true))
  [ldap] ldap_release_conn: Release Id: 0
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> ******
[files]         expand: (&(Login=%{%{Stripped-User-Name}:-%{User-Name}})(isMemberOf=ou=groups,ou=eduroam,dc=*****,dc=fr)) -> (&(Login=******)(isMemberOf=ou=groups,ou=eduroam,dc=******,dc=fr))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=*****,dc=fr, with filter (&(cn=service)(&(Login=*****)(isMemberOf=ou=groups,ou=eduroam,dc=*****,dc=fr)))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group service not found or user is not a member.
  [ldap] Entering ldap_groupcmp()
[files]         expand: ou=People,dc=******,dc=fr -> ou=People,dc=****,dc=fr
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> *****
[files]         expand: (&(Login=%{%{Stripped-User-Name}:-%{User-Name}})(isMemberOf=ou=groups,ou=eduroam,dc=*******,dc=fr)) -> (&(Login=*******)(isMemberOf=ou=groups,ou=eduroam,dc=*****,dc=fr))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=*****,dc=fr, with filter (&(cn=personnal)(&(Login=*******)(isMemberOf=ou=groups,ou=eduroam,dc=******,dc=fr)))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group personnal not found or user is not a member.
  [ldap] Entering ldap_groupcmp()
[files]         expand: ou=People,dc=******,dc=fr -> ou=People,dc=*****,dc=fr
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> *****
[files]         expand: (&(Login=%{%{Stripped-User-Name}:-%{User-Name}})(isMemberOf=ou=groups,ou=eduroam,dc=*******,dc=fr)) -> (&(Login=*****)(isMemberOf=ou=groups,ou=eduroam,dc=*******,dc=fr))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=****,dc=fr, with filter (&(cn=student)(&(Login=*****)(isMemberOf=ou=groups,ou=eduroam,dc=****,dc=fr)))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group student not found or user is not a member.
  [ldap] Entering ldap_groupcmp()
[files]         expand: ou=People,dc=******,dc=fr -> ou=People,dc=****,dc=fr
[files]         expand: %{Stripped-User-Name} ->
[files]         ... expanding second conditional
[files]         expand: %{User-Name} -> *******
[files]         expand: (&(Login=%{%{Stripped-User-Name}:-%{User-Name}})(isMemberOf=ou=groups,ou=eduroam,dc=*****,dc=fr)) -> (&(Login=****)(isMemberOf=ou=groups,ou=eduroam,dc=*****,dc=fr))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=*******,dc=fr, with filter (&(cn=users)(&(Login=******)(isMemberOf=ou=groups,ou=eduroam,dc=*****,dc=fr)))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group users not found or user is not a member.
++[files] returns noop
[ldap] performing user authorization for *******
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> *****
[ldap]  expand: (&(Login=%{%{Stripped-User-Name}:-%{User-Name}})(dialupAccess=true)) -> (&(Login=****)(dialupAccess=true))
[ldap]  expand: ou=People,dc=******,dc=fr -> ou=People,dc=****,dc=fr
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=******,dc=fr, with filter (&(Login=*****)(dialupAccess=true))
..........

 Someone can explain to me, why the freeradius server can not find the groups? Is this the right configuration?


Best regards










More information about the Freeradius-Users mailing list