Group checking in LDAP module

uj2.hahn at posteo.de uj2.hahn at posteo.de
Sun Jan 5 18:21:48 CET 2020


Hi, I have some (probably) basic questions how to deal with Group checks 
in LDAP module.

I setup LDAP with OpenLDAP and authorization works fine. Now I want to 
extend functionality by some group related post-auth checks.
Each user is a member of a group. Some users are members of more than 
one group.

freeradius -X shows me the following lines:

(0) ldap: Group DN "cn=lehrer,ou=groups,dc=kms,dc=de" resolves to name 
"lehrer"
(0) ldap: Resolving group DN "cn=gast,ou=groups,dc=kms,dc=de" to group name
(0) ldap: Performing unfiltered search in 
"cn=gast,ou=groups,dc=kms,dc=de", scope "base"
(0) ldap: Waiting for search result...
(0) ldap: Group DN "cn=gast,ou=groups,dc=kms,dc=de" resolves to name "gast"
(0) ldap: Adding cacheable user object memberships
(0) ldap: &control:LDAP-Group += "lehrer"
(0) ldap: &control:LDAP-Group += "gast"

This is all fine because the user belongs to two groups.
My assumption is, that control:LDAP-Group now contains both group names, 
e.g. "lehrer gast".
For debugging purposes I output the value as reply message in the 
post-auth section.
But logfile says:

(0) # Executing section post-auth from file 
/etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) update reply {
(0) EXPAND %{control:LDAP-Group}
(0) --> lehrer
(0) Reply-Message := lehrer

Here the output is just the first group name, the other one is missing.
Why is that?
------------------------------------------------------------------------------------------------------------------------------------
And there is a second question:

LDAP module has a check filter in the group section :

membership_filter = 
"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"

During run time this filter does not generate any output:

(0) ldap: EXPAND 
(&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(0) ldap: --> 
(&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))
(0) ldap: Performing search in "ou=people,dc=kms,dc=de" with filter 
"(&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))", 
scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: Search returned no results
(0) ldap: No cacheable group memberships found in group objects

This is strange. When I run ldapsearch with same filter I do get results:

ldapsearch -x -LLL -H ldap:/// -b dc=kms,dc=de  -s sub 
"(&(objectClass=groupofnames)(|(member=uid=uhahn,ou=people,dc=kms,dc=de)(memberUid=jhahn)))"
dn: cn=lehrer,ou=groups,dc=kms,dc=de
cn: lehrer
description: All users
objectClass: groupOfNames
objectClass: top
member: uid=uhahn,ou=people,dc=kms,dc=de
member: uid=mmeier,ou=people,dc=kms,dc=de

dn: cn=gast,ou=groups,dc=kms,dc=de
cn: gast
description: All users
objectClass: groupOfNames
objectClass: top
member: uid=gast,ou=people,dc=kms,dc=de
member: uid=uhahn,ou=people,dc=kms,dc=de

What's wrong here?

Thanks a lot for help

Uwe


More information about the Freeradius-Users mailing list