Joe User is a part of Corp (which is under Users - could nesting be the problem?): root@openldap ~# ldapsearch -x -h localhost -p 389 -b "ou=Users,dc=team,dc=company,dc=com" -s sub "cn=joe user" # extended LDIF # # LDAPv3 # base <ou=Users,dc=team,dc=company,dc=com> with scope subtree # filter: cn=joe user # requesting: ALL # # Joe User, corp, Users, team.company.com dn: cn=Joe User,ou=corp,ou=Users,dc=team,dc=company,dc=com givenName: Joe sn: User cn: Joe User uid: joeuser uidNumber: 1008 gidNumber: 500 homeDirectory: /home/users/joeuser loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Is my entry in the authorize section formatted correctly? Thanks, Alex On Aug 13, 2014, at 2:46 AM, Stefan Paetow <Stefan.Paetow@ja.net> wrote:
According to the LDAP search, the user is not part of either the Corp or the Dev OUs.
Which one of the two is 'joeuser' part of?
What happens when you try using ldapsearch to search for 'joeuser' in your AD?
Stefan
-----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Alex Gregory Sent: 13 August 2014 00:32 To: FreeRadius users mailing list Subject: OpenLDAP Group membership to Filter-ID
Hello-
I would like to make it so that the users in:
ou=corp,ou=Users,dc=team,dc=company,dc=com
Get mapped a Filter-ID of corp and the users in:
ou=dev,ou=Users,dc=team,dc=company,dc=com
Get mapped a Filter-ID of dev. I can then apply firewall rules to give them access to certain resources and not others. This will also make it so that if they access the wrong network they should not have the proper access without the correct group membership.
In inner-tunnel I have:
authorize { if ( Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "corp" } } if ( Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=affirm,dc=com/ ) { update control { Tmp-String-1 := "dev" } }
post-auth { update reply { Filter-Id := "%{control:Tmp-String-1}" }
I can see in the log that its not matching which means I am not matching correctly. It ends up passing the Filter-ID which is blank. So I know the post auth section is working correctly.
Here is the relevant log info:
Tue Aug 12 22:50:47 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group authorize {...} Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) Tue Aug 12 22:50:47 2014 : Debug: [ldap] Entering ldap_groupcmp() Tue Aug 12 22:50:47 2014 : Info: expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Info: expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) Tue Aug 12 22:50:47 2014 : Debug: [ldap] object not found Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member. Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/ ) -> FALSE Tue Aug 12 22:50:47 2014 : Info: ++[chap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[mschap] returns noop Tue Aug 12 22:50:47 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL Tue Aug 12 22:50:47 2014 : Info: [suffix] No such realm "NULL" Tue Aug 12 22:50:47 2014 : Info: ++[suffix] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[control] returns noop Tue Aug 12 22:50:47 2014 : Info: [eap] No EAP-Message, not doing EAP Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[files] returns noop Tue Aug 12 22:50:47 2014 : Info: [ldap] performing user authorization for joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{Stripped-User-Name} -> Tue Aug 12 22:50:47 2014 : Info: [ldap] ... expanding second conditional Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: %{User-Name} -> joeuser Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_get_conn: Got Id: 0 Tue Aug 12 22:50:47 2014 : Debug: [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser) Tue Aug 12 22:50:47 2014 : Info: [ldap] No default NMAS login sequence Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for check items in directory... Tue Aug 12 22:50:47 2014 : Debug: [ldap] userPassword -> Password-With-Header == "{MD5}hashreplaced" Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for reply items in directory... Tue Aug 12 22:50:47 2014 : Info: [ldap] user joeuser authorized to use remote access Tue Aug 12 22:50:47 2014 : Debug: [ldap] ldap_release_conn: Release Id: 0 Tue Aug 12 22:50:47 2014 : Info: ++[ldap] returns ok Tue Aug 12 22:50:47 2014 : Info: ++[expiration] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[logintime] returns noop Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns updated Tue Aug 12 22:50:47 2014 : Info: Found Auth-Type = PAP Tue Aug 12 22:50:47 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group PAP {...} Tue Aug 12 22:50:47 2014 : Info: [pap] login attempt with password "password" Tue Aug 12 22:50:47 2014 : Info: [pap] Using MD5 encryption. Tue Aug 12 22:50:47 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding Tue Aug 12 22:50:47 2014 : Info: [pap] User authenticated successfully Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: expand: %{control:Tmp-String-1} -> Tue Aug 12 22:50:47 2014 : Info: ++[reply] returns noop } # server inner-tunnel Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled reply code 2 Filter-Id = "" Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled Access-Accept Tue Aug 12 22:50:47 2014 : Info: [eap] Freeing handler Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns ok Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...} Tue Aug 12 22:50:47 2014 : Info: ++[exec] returns noop Sending Access-Accept of id 16 to xxx.xxx.xxx.xxx port 32768 Filter-Id = "" MS-MPPE-Recv-Key = 0x85725d86e7ab1448510e48ba9b900cd3cbf3d7436f36f9b391dab4d35b3d69b1 MS-MPPE-Send-Key = 0x191e9e59df4f7108ac1542e48434330db030957911f7a3fb75ae40456057bf1f EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "joeuser" Tue Aug 12 22:50:47 2014 : Info: Finished request 9.
Thank you for the help. I appreciate it. BTW if this does't make sense I can provide more details as to what I am trying to do. I figured I would spare that unless needed.
Thanks,
Alex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html