Active Directory authenticated VPN

Pisch Tamás pischta at gmail.com
Fri May 7 13:34:55 CEST 2021 

Thanks for the clatification of the membership_attribute parameter. Now I
understand its role. I changed it to member in my configuration, but the
result is still the same, "Search returned no results".

Thanks,

Tamás.

Michael Ströder via Freeradius-Users <freeradius-users at lists.freeradius.org>
ezt írta (időpont: 2021. máj. 7., P, 12:57):

> On 5/7/21 12:09 PM, Pisch Tamás wrote:
> > With 'no' the authentication and authorization works... with a little
> flaw:
> > it accepts users who is not in vpnusers group.
>
> Well, then start from this config.
>
> > With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er)
> authentication
> > required".
>
> I guess authentication was not successful in this case because you don't
> use simple bind (see my last message).
>
> > With these settings in the ldap module:
> > ldap{
> >   server = 'localhost'
> >   identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu'
> >   password = '...'
> >   base_dn = 'dc=ad,dc=ourdomain,dc=hu'
> >   group {
> >     membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
>
> membership_attribute shall only contain an LDAP attribute name, e.g.
> 'memberOf' if appropriate in your deployment.
>
> > I tried to set up filtering according to
> > https://wiki.freeradius.org/modules/Rlm_ldap
> > Changes in ldap module:
> > ldap{
> >   groupmembership_filter =
> > "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))"
> >   membership_attribute = 'memberOf'
>
> Note that 'memberOf' is a user attribute, not an attribute of the group
> entry.
>
> With the approach above you have to use membership_attribute = 'member'.
>
> > I checked with ldapsearch:
> > ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D
> > "cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W
> >
> "(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))"
> > It gives the vpnusers object as a result.
>
> Can't you see the difference?
>
> In the group filter you're correctly using attribute 'member' as
> assertion type, not 'memberOf'.
>
> Ciao, Michael.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list