Having issues interpreting ldap search/filter attributes

Steve Phillips steve at focb.co.nz
Mon Aug 10 10:07:26 CEST 2020 

Hi There I’m really hoping someone out there can help,

 

Freeradius version: 3.0.13 (installed via rpm on  rhel 7)

 

I have a reasonably simple (to my mind) setup that for some reason doesn’t seem to exist on the internet after much fruitless searching.

 

In essence, I am performing PAP auth to free radius which then binds as the user to AD via LDAP and performs an authentication

It then is supposed to return the groups the user is a member of and then I use the “files” directive to match a group and return a reply attribute

 

I’m now busy pulling my hair out trying to work out how to debug what’s going on in the background, as I am having amazingly bad luck trying to work out how the group filter works (and yes, I did read the ldap module comments and couldn’t work anything out from this, or the rlm_ldap wiki)

 

Running radiusd -X gives some information that it is attempting to check groups but claims the user is not a group member

 

(see below for the log)

 

So far I’ve tried

 

        #groupfilter = '(objectclass=*)'

        #groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDN}))"

        #groupmembership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"

        #groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"

        #groupmembership_filter = '(|(member=%{control:LDAP-UserDN})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))'

        groupmembership_attribute = 'memberOf'

        #groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

        #groupmembership_filter = "(sAMAccountName=%{User-Name})"

        groupmembership_filter = "(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"

 

With some of these just hoping to get _anything_ to return (#groupmembership_filter = "(sAMAccountName=%{User-Name})")

 

About the only thing I’ve had success in plugging into ldapsearch was the “(sAMAccountName=<my username>)” hence the attempt at doing that because it DID actually return “memberOf” attributes.

 

I guess what I’m trying to do, is work out what I am supposed to plug into ldap search as every time I try it returns nothing. Is there a way to tell freeradius to print out what it thinks the various variables are? Like, %{Ldap-UserDN} I can see from the “sites-enabled” file as I can see it being set with..

 

update control {

         Ldap-UserDN := "%{User-Name}@xample.com"

         Auth-Type := LDAP

}

 

Is there an easy to follow guide for ldapsearch that describes that the (|(&(<attribute>=<value>)(<attribute>=<value>))) bits even mean? (primarily the (|(&( bit, as I can do a single <attribute>=<value> Search and get that to work)

 

-- log from radisud -X –

Ready to process requests

(1) Received Access-Request Id 1 from 10.0.0.5:50847 to 10.0.0.10:1812 length 53

(1)   User-Name = "username123"

(1)   User-Password = "password123"

(1)   NAS-IP-Address = 1.2.3.4

(1) # Executing section authorize from file /etc/raddb/sites-enabled/default

(1)   authorize {

(1) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d

(1) auth_log:    --> /var/log/radius/radacct/10.0.0.5/auth-detail-20200810

(1) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.0.0.5/auth-detail-20200810

(1) auth_log: EXPAND %t

(1) auth_log:    --> Mon Aug 10 15:15:19 2020

(1)     [auth_log] = ok

(1)     if (&User-Password) {

(1)     if (&User-Password)  -> TRUE

(1)     if (&User-Password)  {

(1)       update control {

(1)         EXPAND %{User-Name}@exmple.com

(1)            --> username123 at example.com 

(1)         Ldap-UserDN := username123 at example.com

(1)         Auth-Type := LDAP

(1)       } # update control = noop

(1)     } # if (&User-Password)  = noop

(1)     ... skipping else: Preceding "if" was taken

(1) files: Searching for user in group "access_2fa"

rlm_ldap (ldap): Reserved connection (5)

(1) files: Using user DN from request "username123 at example.com"

rlm_ldap (ldap): Released connection (5)

Need 3 more connections to reach min connections (5)

rlm_ldap (ldap): Opening additional connection (7), 1 of 8 pending slots used

rlm_ldap (ldap): Connecting to ldap://10.0.0.50:389

rlm_ldap (ldap): Waiting for bind result...

rlm_ldap (ldap): Bind successful

(1) files: User is not a member of "ost_access_2fa"

(1) files: Searching for user in group "OST_ACCESS_2FA"

rlm_ldap (ldap): Reserved connection (6)

(1) files: Using user DN from request "username123 at example.com"

rlm_ldap (ldap): Released connection (6)

(1) files: User is not a member of " ACCESS_2FA"

.

.

 

(note: The user in question IS in the group access_2fa and it isn’t a nested group)

 

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5033 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20200810/cdf010dc/attachment.bin>

More information about the Freeradius-Users mailing list