LDAP groups and how to filter

uj2.hahn at posteo.de uj2.hahn at posteo.de
Wed Feb 12 22:58:38 CET 2020 

And you should enable cacheable_name or cacheable_dn (=yes)  if not done 
already!
Regards
Uwe

On 12.02.2020 22:54, Alan DeKok wrote:
> On Feb 12, 2020, at 3:21 PM, Daniel Oakes <daniel at 2600hz.com> wrote:
>> So your first query works, but returns A LOT:
>>
>> ldapsearch -D 'uid=admin,cn=users,cn=accounts,dc=server,dc=domain,dc=net' -w<password>' -h localhost -s sub '(objectclass=posixAccount)' -b 'uid=doakes,cn=users,cn=accounts,dc=server,dc=domain,dc=net'
>    Which is asking for *all* of the user information.  Not just groups.
>
>> ...
>> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=server,dc=domain,dc=net
>> memberOf: cn=employees,cn=groups,cn=accounts,dc=server,dc=domain,dc=net
>> memberOf: cn=ops_training_wheels,cn=groups,cn=accounts,dc=server,dc=domain,dc
>> =net
>>>    Those are the groups.
>
>> Much output later.
>>
>> So that works – I’m struggling with how that translates to the group filter.
>    In recent versions of the server, see mods-available/ldap.  It shows a sample of the query to use when asking for groups:
>
> 	#  Group membership can be queried by using the above "ldapsearch" string,
> 	#  and adding "memberof" qualifiers.  For ActiveDirectory, use:
> 	#
> 	#    ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
>
>   That's for AD "samaccountname".  But you can modify that for your LDAP server.
>
>
>> My mods-enabled/ldap has an identity and password configured in the ldap section.
>>
>> My base_dn is ‘cn=accounts,dc=server,dc=domain,dc=net’
>    That's all good.
>
>> In the group section I change the filter to '(objectClass=posixAccount)' and uncommented scope = ‘sub’
>>
>> Currently the membership filter is the default of :
>>
>> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name
>> }:-%{User-Name}}))"
>>
>> How is that modified to handle that above query so I get the groups?
>   It should pretty much just work.  Follow the documentation in the most recent versions of the server.
>
>    If you're running something from 5 years ago, well, the documentation has been updated.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list