Thanks for the clatification of the membership_attribute parameter. Now I understand its role. I changed it to member in my configuration, but the result is still the same, "Search returned no results". Thanks, Tamás. Michael Ströder via Freeradius-Users <freeradius-users@lists.freeradius.org> ezt írta (időpont: 2021. máj. 7., P, 12:57):
On 5/7/21 12:09 PM, Pisch Tamás wrote:
With 'no' the authentication and authorization works... with a little flaw: it accepts users who is not in vpnusers group.
Well, then start from this config.
With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er) authentication required".
I guess authentication was not successful in this case because you don't use simple bind (see my last message).
With these settings in the ldap module: ldap{ server = 'localhost' identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' base_dn = 'dc=ad,dc=ourdomain,dc=hu' group { membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
membership_attribute shall only contain an LDAP attribute name, e.g. 'memberOf' if appropriate in your deployment.
I tried to set up filtering according to https://wiki.freeradius.org/modules/Rlm_ldap Changes in ldap module: ldap{ groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" membership_attribute = 'memberOf'
Note that 'memberOf' is a user attribute, not an attribute of the group entry.
With the approach above you have to use membership_attribute = 'member'.
I checked with ldapsearch: ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D "cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W
"(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))"
It gives the vpnusers object as a result.
Can't you see the difference?
In the group filter you're correctly using attribute 'member' as assertion type, not 'memberOf'.
Ciao, Michael. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html