<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>Ldap query in FR3</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">This will probably be obvious, but I can’t see it!</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">I’m using several instances of ldap to do some load balancing so I’ve got ldap1, ldap2, ldap3 etc.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">I know in 3 that we need to reference the instance explicitly in the users files for groups, e.g.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">DEFAULT ldap1-ldap-group == “group name”</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">But unlike 2, I can’t actually make this fail. It always come</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">s</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> back with</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">“user found”. I’ve tried to trim the config right down but it’s still failing to report that the user is missing..</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Instantiation / c</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">onfig for ldap :</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> # Instantiating module "ldap1" from file /usr/local/etc/raddb/mods-enabled/ldap</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">ldap ldap1 {</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> server = "10.128.176.40"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> port = 389</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> password =</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">***</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> identity = "cn=LDAPQuery,OU=SpecialUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> user {</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}})"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> scope = "sub"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> base_dn = "DC=SATH,DC=nhs,DC=uk"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> access_positive = yes</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> }</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> group {</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> filter = "(objectClass=Group)"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> scope = "sub"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> base_dn = "DC=SATH,DC=nhs,DC=uk"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> name_attribute = "cn"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> membership_filter = "(member=%{control:Ldap-UserDn})"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> cacheable_name = no</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> cacheable_dn = no</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri"> }</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">In the users files I have</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">DEFAULT ldap1-Ldap-Group == "I made this group up"</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">In operation, e</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">verything seems to expand ok:</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">..</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">(1) files : Searching for user in group "I made this group up"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">rlm_ldap (ldap1): Reserved connection (4)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">(1) files : Using user DN from request "CN=Franks Andy (RLZ) IT Systems Engineer,OU=RSHUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">(1) files : Checking for user in group objects</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">(1) files : expand: "(&(cn=I made this group up)(objectClass=Group)(member=%{control:Ldap-UserDn}))" -> '(&(cn=I made this group up)(objectClass=Group)(member=CN\3dFranks Andy \28RLZ\29 IT Systems Engineer\2cOU\3dRSHUsers\2cOU\3dSAT$</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">(1) files : expand: "DC=SATH,DC=nhs,DC=uk" -> 'DC=SATH,DC=nhs,DC=uk'</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">(1) files : Performing search in 'DC=SATH,DC=nhs,DC=uk' with filter '(&(cn=I made this group up)(objectClass=Group)(member=CN\3dFranks Andy \28RLZ\29 IT Systems Engineer\2cOU\3dRSHUsers\2cOU\3dSATHUsers\2cDC\3dSATH\2cDC\3dnhs\2cDC\3duk)$</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">(1) files : Waiting for search result...</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">(1) files : User found in group object</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">..</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">..but the user is always found.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">All user</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">based operations</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> work fine. Not found is returned if the user isn’t</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> in ldap</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> etc.</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">I’m stumped. I’ve tried various filter combinations</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> etc</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">, but the group doesn’t</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">even</FONT></SPAN><SPAN LANG="en-gb"> <FONT FACE="Calibri">exist, and even if I reference a group that does exist which doesn</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri">’t contain the user, it returns found…</FONT></SPAN><SPAN LANG="en-gb"><FONT FACE="Calibri"> Version 2 didn’t seem to have the same behaviour.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Thanks</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"><FONT FACE="Calibri">Andy</FONT></SPAN><SPAN LANG="en-gb"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-gb"></SPAN></P>
</BODY>
</HTML>