On 5/7/21 12:09 PM, Pisch Tamás wrote:
With 'no' the authentication and authorization works... with a little flaw: it accepts users who is not in vpnusers group.
Well, then start from this config.
With 'yes', or with 'allow_sasl_over_tls' I get "Strong(er) authentication required".
I guess authentication was not successful in this case because you don't use simple bind (see my last message).
With these settings in the ldap module: ldap{ server = 'localhost' identity = 'cn=Administrator,cn=Users,dc=ad,dc=ourdomain,dc=hu' password = '...' base_dn = 'dc=ad,dc=ourdomain,dc=hu' group { membership_attribute = 'memberOf=CN=vpnusers,CN=Users,${base_dn})'
membership_attribute shall only contain an LDAP attribute name, e.g. 'memberOf' if appropriate in your deployment.
I tried to set up filtering according to https://wiki.freeradius.org/modules/Rlm_ldap Changes in ldap module: ldap{ groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn})))" membership_attribute = 'memberOf'
Note that 'memberOf' is a user attribute, not an attribute of the group entry. With the approach above you have to use membership_attribute = 'member'.
I checked with ldapsearch: ldapsearch -x -b "cn=Users,dc=ad,dc=ourdomain,dc=hu" -D "cn=vpn,cn=Users,dc=ad,dc=ourdomain,dc=hu" -h localhost -W "(&(cn=vpnusers)(|(&(objectClass=group)(member=CN\3dvpn\2cCN\3dUsers\2cDC\3dad\2cDC\3dourdomain\2cDC\3dhu))))" It gives the vpnusers object as a result.
Can't you see the difference? In the group filter you're correctly using attribute 'member' as assertion type, not 'memberOf'. Ciao, Michael.