LDAP Post-Auth with computer names using eap-tls certs

Alan DeKok aland at deployingradius.com
Wed Nov 28 23:05:07 CET 2018

On Nov 28, 2018, at 5:00 PM, Kevin Virk <Kevin.Virk at faithlife.com> wrote:
> Thank you for the help Alan and I apologize for the mistakes in posting. 

  Please also *edit* the posts you make.  We don't need to re-read the previous message before getting to any new content.

  The harder you make it for us help you, the less likely we are to help you.

>> Mon Nov 26 23:53:09 2018 : Debug: (5) EXPAND (|(&(objectClass=computer)(member=%{control:Ldap-UserDn})))
>> Mon Nov 26 23:53:09 2018 : Debug: (5) --> (|(&(objectClass=computer)(member=CN\3dComputerNAme\2cOU\3dComputers\\3dDepartments\2cDC\3dtestDomain\2cDC\3dlocal)))
>> Note that the "=" is escaped to "\2c". Which should be a hint that you should be using just the group name.
> hmm it has been working that way with the queries but I will change that thank you.

  Has it been working with FreeRADIUS?  Or with a command-line tool?

>> LDAP group checking doesn't not search subgroups. It only checks the main groups that a user is a member of.
> So im understanding correctly if a computer is set up as so Computername-> Group membership-> computer security group  
> and if that computer security group is part of vlan group quering that vlan group wont work because it will only return the security groups not the workstations that are part of the security groups?

  Generally, yes.

> Is there no way then to query for the computers that belong in a group because like I said atop this query does work and does give me back all computers in the top level group
> (&(objectClass=computer)(memberOf:1.2.840.113556.1.4.1941:=CN=vlan,OU=generalgroups,OU=Departments,DC=testdomain,DC=local))

  That's likely an AD extension to the LDAP standard.  It might not work with other LDAP servers.

> Is there no way for that query above to work in freeradius?

  Yes.  You should be able to edit the LDAP "group" configuration to set the "filter" to the correct value.  Or maybe the "membership_filter"

  The issue here is that FreeRADIUS is intended to work with *multiple* different LDAP servers.  Adding specific magic just for AD isn't always simple.

  Alan DeKok.

More information about the Freeradius-Users mailing list