LDAP Post-Auth with computer names using eap-tls certs

Alan DeKok aland at deployingradius.com
Wed Nov 28 22:48:47 CET 2018

On Nov 28, 2018, at 4:39 PM, Kevin Virk <Kevin.Virk at faithlife.com> wrote:
> So ill give a brief summary of everything I have done so far. I have set a freeradius server to work with certs. I orignally had the certs named by user name but my company had decided that computer names was the way the wanted to go. So i changed the certs to hand out the sam account name of the computer. Previously the LDAP I had set up in post-auth was working with the username and works with the computer name as well however my company has decided that the ldap queries are to plentiful and would like to narrow them down. Let me backtrack for a second as this is important to the problem. LDAP is to be used to identify a user in a specific group and then authorize and put them into a vlan. Like I said this was all working with usernames and computer names. However because the AD is setup in a way that certain computer groups are nested in larger vlan groups I had to manually query for the lower level groups instead of the overarching vlan group because i needed the query to return computer names not more workstation groups. So here I am I have this query that works in ldp.exe 


> This query returns computer names and works in ldp. Below are snippets from my conf files
> ldap module conf

  Please don't post the config.  All of the documentation say to *not* do that.  Especially this:


>        if(LDAP-Group == "CN=vlan,OU=generalgroups,OU=Departments,DC=testDomain,DC=local"){

  That's not really how the LDAP-Group check operates.  See the Wiki, there's documentation on this.

  It's meant to check just the group name:

	if (LDAP-Group == "vlan")  { ...

> Here is a snippet from the error in the debug output.
> Mon Nov 26 23:53:09 2018 : Debug: rlm_ldap (ldap): Rebinding to URL ldap://Server

  PLEASE follow the instructions for debug output.  It really is documented *everywhere*.  Use "radiusd -X", and not anything else.

> Mon Nov 26 23:53:09 2018 : Debug: (5)       EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
> Mon Nov 26 23:53:09 2018 : Debug: (5)          --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))

  Note that the "=" is escaped to "\2c".  Which should be a hint that you should be using just the group name.

> I am sure that my syntax is wrong somewhere, maybe the ldap-group part in the ldap query? I would like to point out that it does find the group when switch the object class to group from computer but only in the sub groups and not the larger group. Any help would be greatly appreciated

  LDAP group checking doesn't not search subgroups.  It only checks the main groups that a user is a member of.

  Alan DeKok.

More information about the Freeradius-Users mailing list