LDAP group authentication

[Arran Cudbard-Bell]

> On 21 Jul 2017, at 21:00, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Jul 21, 2017, at 2:53 PM, Jake L. via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> Thanks again Bogdan and sorry for my long delay on this. If you or anyone else can assist in our question below that would be awesome. Just getting back to it with my co-workers and we are running into the following issue. We've set it up using your examples below, but it says it's unable to find the user via ldap. When we disable checking via the "memberOf" method, it is able to find the user. The part I may have wrong is the commented out section inside of the ldap stanza underneath 'update'. However, anything I uncommented there failed to work. Any thoughts? Here are our tests and setups:
>> 
>> If anyone has any suggestions, please let me know (or if you need more details!). Much thanks!!
>> ...
>> (0)  ldap : Performing search in 'cn=users,cn=accounts,dc=example,dc=com' with filter '(|(&(uid=intopstest)(memberOf=cn=netops_radius,cn=groups,cn=accounts,dc=example,dc=com)))', scope 'sub'
>> (0)  ldap : Waiting for search result...
>> (0)  ldap : Search returned no results
> 
> What do you get when you run that search using an LDAP client utility?

Yeah, that’s really the key thing here.  rlm_ldap doesn’t do anything magical.  If ldapsearch does work, and you can run without TLS, you can compare the packet captures to see if there’s anything different.

99% of the time though, ldapsearch doesn’t work and rum_ldap has just been configured wrong.

-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170723/7f3660c1/attachment.sig>