Hi Arran, I'm using Freeradius 2.2.8, It's not easy to upgrade to 3.x, I will try if definitly I cant solve it. Alan, sorry, let me explain better. This is an example of the user "pares" who is part of the "userType: managment": ldapsearch -x -LLL -h platform.example.com.co -D "cn=comroam,dc=example,dc=com,dc=co" -w BI3AixvSQt8hjjKc34CI -b"uid=pares,ou=invit,dc=example,dc=com,dc=co" dn: uid=pares,ou=invitados,dc=example,dc=com,dc=co objectClass: top objectClass: person objectClass: organizationalPerson objectClass: qmailUser cn: Pares sn:: QWNhZMOpbWljb3M= state:: U29saWNpdGFkbyBwb3IgVmljZXJyZWN0b3LDrWE= *userType: managment*uid: pares And this is an example of the user "utposgr" who is part of the "userType: guest" ldapsearch -x -LLL -h platform.example.com.co -D "cn=comroam,dc=example,dc=com,dc=co" -w BI3AixvSQt8hjjKc34CI -b"uid=utposgr,ou=invit,dc=example,dc=com,dc=co" dn: uid=utposgr,ou=invitados,dc=example,dc=com,dc=co uid: utposgr *userType: guest* state: solicit sn: CGR cn: Invitado objectClass: top objectClass: person objectClass: organizationalPerson objectClass: qmailUser As I said, I need to configure a Freeradius able to use a LDAP module and filter to let autenticate only the user who has "userType: managment" objetc in LDAP directory. So, I set the freeradius.ldap module like this: ldap { server = "plataform.example.com.co" identity = "cn=roam,dc=example,dc=com,dc=co" password = 12345 basedn = "dc=example,dc=com,dc=co" ldap_connections_number = 5 ... } Results: I can authenticate Both users (pares and utposgr). Now I need to apply the filter of the objetc, so I tried this; ldap { server = "plataform.example.com.co" identity = "cn=roam,dc=example,dc=com,dc=co" password = 12345 basedn = "dc=example,dc=com,dc=co" base_filter = "(*userType= managment*)" ldap_connections_number = 5 ... } After reload, I still can authenticathe Both users (pares and utposgr), but What I need is to only authenticate user "pares" because user "utposgr" has a different LDAP object (*userType: guest*). This is the debug output when I tried to authenticate the user utposgr (supposed to be rejected): Cleaning up request 2 ID 79 with timestamp +319 Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 38585, id=15, length=81 User-Name = "utposgr" User-Password = "ut2014" NAS-IP-Address = 192.168.70.90 NAS-Port = 1812 Message-Authenticator = 0xbc046700e4bb678a5b8bd88f9d3c9e42 # Executing section authorize from file /etc/freeradius/sites-enabled/ default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "utposgr", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop [ldap] performing user authorization for utposgr [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> utposgr [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=utposgr) [ldap] expand: dc=example,dc=com,dc=co -> dc=example,dc=com,dc=co [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=example,dc=com,dc=co, with filter (uid=utposgr) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] Setting Auth-Type = LDAP [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = ok Found Auth-Type = LDAP # Executing group from file /etc/freeradius/sites-enabled/default +group LDAP { [ldap] login attempt by "utposgr" with password "ut2014" [ldap] user DN: uid=utposgr,ou=invit,dc=example,dc=com,dc=co [ldap] (re)connect to plataform.example.com.co:389, authentication 1 [ldap] bind as uid=utposgr,ou=invit,dc=example,dc=com,dc=co/ut2014 to plataform.example.com.co:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] *user utposgr authenticated succesfully* ++[ldap] = ok +} # group LDAP = ok Login OK: [utposgr/ut2014] (from client localhost port 1812) # Executing section post-auth from file /etc/freeradius/sites-enabled/ default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 15 to 127.0.0.1 port 38585 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 3 ID 15 with timestamp +326 Ready to process requests. I also tried ldap { server = "plataform.example.com.co" identity = "cn=roam,dc=example,dc=com,dc=co" password = 12345 basedn = "dc=example,dc=com,dc=co" * filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"* * base_filter = "(userType= managment*)" ldap_connections_number = 5 ... } But the same results, I dont know how to make the filter of the LDAP object "userType= managment" and the user who has the "userType= guest" can authenticate. Thanks in advance!!! 2017-09-17 7:22 GMT-05:00 Alan DeKok <aland@deployingradius.com>:
On Sep 16, 2017, at 8:51 PM, Andrés Gómez <andres.gomez.ruiz@gmail.com> wrote:
I have tried many combinations but I cant' do it work.
See the FAQ for "it doesn't work".
Can you give me any advice about how can I configure the freeradius-ldap module in order to do that filter?
You told us what you did. You didn't tell us what happened. You *can* post the debug log as suggested in the FAQ, "man" page, web pages, and all the time on this list.
Saying "it doesn't work" is entirely unhelpful. And doesn't let us help you.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- *C. Andrés Gómez R.* *Magister en Software Libre*