Freeradius + Ldap - Authorise OK but NO dynamic VLANs

Matthew Newton mcn4 at leicester.ac.uk
Fri Aug 19 11:32:18 CEST 2016 

On Fri, Aug 19, 2016 at 11:08:52AM +0200, Matthew Pulis wrote:
> Thanks for your patience and help. A few more improvements yet I'm still
> stuck :(
> 
> This is /etc/freeradius/sites-default/inner-tunnel: (the section post_auth)
> 
> if (Ldap-Group == "SeminaryAdmin") {
> update reply {
> Tunnel-Type := "VLAN",
> Tunnel-Medium-Type := "802",
> Tunnel-Private-Group-ID := "12"
> }
> }

You aren't doing EAP, so the inner-tunnel isn't being used.

This config should go in sites-enabled/default.


> I tried Ldap-Group == SeminaryAdmin / "SeminaryAdmin"
> /  "cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local" but neither of the
> 3 options worked.

There's no magic - the values are just plugged into the settings
in the config file, and fed to the ldap server. So the debug
output shows you what the actual query is.

The only comment here is you're using version 2 of the server,
which is now EOL and obsolete, and the ldap module has been
rewritten in version 3. So the config you're writing is more
restrictive in what it can do and people will be less inclined to
help here. But it should work.

> Can you please suggest further, this is really mind boggling!! :(
> 
> Fri Aug 19 11:01:56 2016 : Info: # Executing section post-auth from file
> /etc/freeradius/sites-enabled/default
> Fri Aug 19 11:01:56 2016 : Info: +group post-auth {

But looks like you've got it in sites-enabled/default as well...

> Fri Aug 19 11:01:56 2016 : Info: ++? if (Ldap-Group == SeminaryAdmin)
> Fri Aug 19 11:01:56 2016 : Debug:   [ldap] Entering ldap_groupcmp()
> Fri Aug 19 11:01:56 2016 : Info:        expand:
> ou=SeminaryOU,dc=seminary,dc=local -> ou=SeminaryOU,dc=seminary,dc=local
> Fri Aug 19 11:01:56 2016 : Info:        expand:
> (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
> ->
> (|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal)))
> Fri Aug 19 11:01:56 2016 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
> Fri Aug 19 11:01:56 2016 : Debug:   [ldap] ldap_get_conn: Got Id: 0
> Fri Aug 19 11:01:56 2016 : Debug:   [ldap] performing search in
> ou=SeminaryOU,dc=seminary,dc=local, with filter
> (&(cn=SeminaryAdmin)(|(&(objectClass=GroupOfNames)(member=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn\3dttester\2ccn\3dSeminaryAdmin\2cou\3dSeminaryOU\2cdc\3dseminary\2cdc\3dlocal))))
> Fri Aug 19 11:01:56 2016 : Debug:   [ldap] object not found

Feed these exact queries into e.g. ldapsearch or some other LDAP
search tool, and see if they come up with the required results. My
guess is not. In which case, update the ldap queries in
modules/ldap to match the layout of your directory.

> Fri Aug 19 11:01:56 2016 : Debug:   [ldap] ldap_release_conn: Release Id: 0
> Fri Aug 19 11:01:56 2016 : Debug: rlm_ldap::ldap_groupcmp: Group
> SeminaryAdmin not found or user is not a member.

Looks right - the query didn't return any results.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list