ldap group membership check issue

Евгений Подберезкин epodber at gmail.com
Fri Oct 27 13:49:52 CEST 2017


Hi, Alan.
Thanks for the reply. I 've already added the realms to proxy.conf , but
adding ntdomain module wasn`t obvious for me (suffix is enabled by default,
so I did not care of it).
I have one more question, could you give me hint.

If check LDAP-Group in etc/raddb/users, it works.

DEFAULT chtpzldap-LDAP-Group ==
"CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru"

DEFAULT Auth-Type := Reject
        Reply-Message = "Group do not match"

But if I need to set an attribute in post-auth, it does not

F.e. in sites-enabled/default or sites-enabled/inner-tunnel

post-auth {

        if (chtpzldap-LDAP-Group ==
"CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") {
                Tunnel-Private-Group-ID := "165"
        }


radiusd -X :

(9) # Executing section post-auth from file
/opt/freeradius3/etc/raddb/sites-enabled/default
(9)   post-auth {
(9)     if (chtpzldap-LDAP-Group ==
"CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") {
(9)     *if (chtpzldap-LDAP-Group ==
"CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru")  -> FALSE*
(9)     update {
(9)       No attributes updated
(9)     } # update = noop
(9)     [exec] = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # post-auth = noop



2017-10-27 15:58 GMT+05:00 Alan DeKok <aland at deployingradius.com>:

> On Oct 27, 2017, at 6:03 AM, Евгений Подберезкин <epodber at gmail.com>
> wrote:
> > I'm trying to check a group of user in Active directory (Win2008) using
> > rlm_ldap. While we have several domains in transitive relations, I should
> > send username with domain part. When domain name is a suffix (
> > epodberezkin at chtpz.ru), it is working, prefix - not (when windows uses
> > login username and domain automatically - f.e. CHTPZ0\epodberezkin)
>
>   You need to configure the ntdomain module.  See
> raddb/sites-enabled/default, and look for "ntdomain".  And see
> raddb/mods-available/realm.  Also look for "ntdomain"
>
> > Output of radiusd -X shows, that "DOMAIN\" part is not removed, so
> > sAMAccountname is incorrect
>
>   That's "radiusd -Xxx".  PLEASE follow instructions and just use "radiusd
> -X".  Honestly, I now have to say this DAILY on the list.  What's going on,
> people?
>
>   On top of that, it's only a tiny portion of the debug output.
>
> > How can I fix this??
>
>   Configure CHTPZ0 as a realm.  And do ntdomain checking.
>
>   Again, if you follow instructions, run "radiusd -X", and *read the
> output", you would see it finding the "chtpz.ru" realm, and stripping
> it.  That should be a strong hint that you probably also need to configure
> a CHTPZ0 domain, too.
>
>   Alan DeKok.
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html


More information about the Freeradius-Users mailing list