Active Directory authenticated VPN
Michael Ströder
michael at stroeder.com
Fri May 7 12:57:17 CEST 2021
On 5/7/21 12:09 PM, Pisch Tamás wrote:
> With 'no' the authentication and authorization works... with a little flaw:
> it accepts users who is not in vpnusers group.
Well, then start from this config.
> With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er) authentication
> required".
I guess authentication was not successful in this case because you don't
use simple bind (see my last message).
> With these settings in the ldap module:
> ldap{
> server = 'localhost'
> identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
> password = '...'
> base_dn = 'dc=ad,dc=ourdomain,dc=hu'
> group {
> membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
membership_attribute shall only contain an LDAP attribute name, e.g.
'memberOf' if appropriate in your deployment.
> I tried to set up filtering according to
> https://wiki.freeradius.org/modules/Rlm_ldap
> Changes in ldap module:
> ldap{
> groupmembership_filter =
> "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
> membership_attribute = 'memberOf'
Note that 'memberOf' is a user attribute, not an attribute of the group
entry.
With the approach above you have to use membership_attribute = 'member'.
> I checked with ldapsearch:
> ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D
> "cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W
> "(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))"
> It gives the vpnusers object as a result.
Can't you see the difference?
In the group filter you're correctly using attribute 'member' as
assertion type, not 'memberOf'.
Ciao, Michael.
More information about the Freeradius-Users
mailing list