<div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><span>Hi Phil,</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><span>Thank You for the response. Your input helps a lot.</span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><span><br></span></div><div><span><font class="Apple-style-span" size="3">I did the modifications you </font>suggested but the fetching of <font class="Apple-style-span" size="3"> the variable is done too late. When the checking of the group is done, the </font></span>%{control:Ldap-UID} comes empty, but is fetched later. If you see bellow the freeradius output.</div><div><br></div><div>There could be a possibility
that %{control:Ldap-UID} be filled before the group test?<br></div><meta http-equiv="content-type" content="text/html; charset=utf-8"><div><br></div><div><span><font class="Apple-style-span" size="3">Thank You again.</font></span></div><div><span><font class="Apple-style-span" size="3"> </font></span></div><div> [ldap] Entering ldap_groupcmp()<br></div><div><span><font class="Apple-style-span" size="3"><div>[files] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: ou=people,DC=home,DC=net -> ou=people,DC=home,DC=net</div><div>[files] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: %{Stripped-User-Name} -> </div><div>[files] <span class="Apple-tab-span" style="white-space:pre"> </span>... expanding second conditional</div><div>[files] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: %{User-Name} -> test01</div><div>[files] <span
class="Apple-tab-span" style="white-space:pre"> </span>expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test01)</div><div> [ldap] ldap_get_conn: Checking Id: 0</div><div> [ldap] ldap_get_conn: Got Id: 0</div><div> [ldap] attempting LDAP reconnection</div><div> [ldap] (re)connect to localhost:389, authentication 0</div><div> [ldap] bind as cn=admin,dc=home,dc=net/test123 to localhost:389</div><div> [ldap] waiting for bind result ...</div><div> [ldap] Bind was successful</div><div> [ldap] performing search in ou=people,DC=home,DC=net, with filter (uid=test01)</div><div> [ldap] ldap_release_conn: Release Id: 0</div><div>[files] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: (uniquemember=uidNumber=%{control:Ldap-UID},ou=people,dc=home,dc=net) -> (uniquemember=uidNumber=,ou=people,dc=home,dc=net)</div><div> [ldap] ldap_get_conn: Checking Id:
0</div><div> [ldap] ldap_get_conn: Got Id: 0</div><div> [ldap] performing search in cn=group1,ou=group,dc=home,dc=net, with filter (uniquemember=uidNumber=,ou=people,dc=home,dc=net)</div><div> [ldap] object not found</div><div> [ldap] ldap_release_conn: Release Id: 0</div><div>rlm_ldap::ldap_groupcmp: Group cn=group1,ou=group,dc=home,dc=net not found or user is not a member.</div><div>++[files] returns noop</div><div>[ldap] performing user authorization for test01</div><div>[ldap] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: %{Stripped-User-Name} -> </div><div>[ldap] <span class="Apple-tab-span" style="white-space:pre"> </span>... expanding second conditional</div><div>[ldap] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: %{User-Name} -> test01</div><div>[ldap] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}})
-> (uid=test01)</div><div>[ldap] <span class="Apple-tab-span" style="white-space:pre"> </span>expand: ou=people,DC=home,DC=net -> ou=people,DC=home,DC=net</div><div> [ldap] ldap_get_conn: Checking Id: 0</div><div> [ldap] ldap_get_conn: Got Id: 0</div><div> [ldap] performing search in ou=people,DC=home,DC=net, with filter (uid=test01)</div><div>[ldap] No default NMAS login sequence</div><div>[ldap] looking for check items in directory...</div><div> [ldap] uidNumber -> Ldap-UID == 30001 <span class="Apple-tab-span" style="white-space:pre"> </span><--------- here is fetched --------------</div><div> [ldap] userPassword -> Password-With-Header == "{SSHA}5Va5FraqFtiFvnYULYP9me/OxLN0lh4P"</div><div>[ldap] looking for reply items in directory...</div><div>[ldap] Setting Auth-Type = LDAP</div><div>[ldap] user test01 authorized to use remote access</div><div> [ldap] ldap_release_conn: Release Id:
0</div><div>++[ldap] returns ok</div><div>++[expiration] returns noop</div><div>++[logintime] returns noop</div><div><br></div></font></span></div><div style="font-family: 'times new roman', 'new york', times, serif; font-size: 12pt; "><br></div><div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "><div style="font-size: 12pt; font-family: 'times new roman', 'new york', times, serif; "><font size="2" face="Arial"><hr size="1"><b><span style="font-weight:bold;">From:</span></b> Phil Mayers [via FreeRadius] <<a href="/user/SendEmail.jtp?type=node&node=4380082&i=0&by-user=t" target="_top" rel="nofollow" link="external">[hidden email]</a>><br><b><span style="font-weight: bold;">To:</span></b> crzrobot <<a href="/user/SendEmail.jtp?type=node&node=4380082&i=1&by-user=t" target="_top" rel="nofollow" link="external">[hidden email]</a>><br><b><span style="font-weight: bold;">Sent:</span></b> Sunday, 8 May 2011, 12:29<br><b><span style="font-weight: bold;">Subject:</span></b> Re: ldap group filter<br></font><br><meta http-equiv="x-dns-prefetch-control" content="off"><div id="yiv1571323443">
On 05/08/2011 10:32 AM, crzrobot wrote:
<div class="yiv1571323443shrinkable-quote"><div class='shrinkable-quote'><br>> Sry for the double posting.
<br>> Hi,
<br>> Recently I implemented an radius authentication using the ldap module.
<br>> Next step is do control the users by groups and I want to ask how could i
<br>> setup the group filter if i have this kind of configuration for the groups
<br>> on the LDAP servers. I tried to google it but no luck with useful results.
<br>> The user authentication is done by uid.
<br>>
<br>> Thank You for your help
<br>>
<br>> dn: cn=group1, ou=group,dc=home,dc=net
<br>> objectclass: groupOfUniqueNames
<br>> gidNumber: 30000
<br>> cn: group1
<br>> uniquemember: uidNumber=30001, ou=people,dc=home,dc=net
<br>> uniquemember: uidNumber=30002, ou=people,dc=home,dc=net
<br>> uniquemember: uidNumber=30003, ou=people,dc=home,dc=net
<br>>
</div></div>It's been a long time, but I think this is invalid LDAP data. The
<br>uniquemember value should be a valid DN.
<br><br>You probably could make this work in FreeRADIUS, but you should fix your
<br>LDAP schema.
<br><br>You'll need to do the following:
<br><br> 1. Define a local "uid" attribute in raddb/dictionary e.g.
<br><br>ATTRIBUTE Ldap-UID 3000 integer
<br><br> 2. Define a mapping in ldap.attrmap from LDAP to radius for the uid e.g
<br><br>checkItem Ldap-UID uidNumber
<br><br> 3. Update your group query e.g.
<br><br>groupmembership_filter = \
<br> "(uniquemember=uidNumber=%{control:Ldap-UID},ou=people,dc=home,dc=net}
<br><br>...but it's hacky and nasty - what if the path after the RDN varies? Fix
<br>your LDAP schema to be right and this will just work
<br>-
<br>List info/subscribe/unsubscribe? See <a rel="nofollow" target="_blank" href="http://www.freeradius.org/list/users.html" link="external">http://www.freeradius.org/list/users.html</a><br>
<br>
<br>
<hr noshade="" size="1" color="#cccccc">
<div style="color:#444;font:12px tahoma, geneva, helvetica, arial, sans-serif;">
<div style="font-weight:bold;">If you reply to this email, your message will be added to the discussion below:</div>
<a rel="nofollow" target="_blank" href="http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4379760.html?by-user=t" link="external">http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4379760.html</a>
</div>
<div style="color:#666;font:11px tahoma, geneva, helvetica, arial, sans-serif;margin-top:.4em;">
To unsubscribe from ldap group filter, <a rel="nofollow" target="_blank" href="" link="external">click here</a>.
</div></div><meta http-equiv="x-dns-prefetch-control" content="on"><br><br></div></div></div>
<br/><hr align="left" width="300" />
View this message in context: <a href="http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4380082.html">Re: ldap group filter</a><br/>
Sent from the <a href="http://freeradius.1045715.n5.nabble.com/FreeRadius-User-f2740693.html">FreeRadius - User mailing list archive</a> at Nabble.com.<br/>