Hi guys, I am still having problems to check if user is member of group... here is cut from logs where is comparison: (31) ldap1-vpn-student: EXPAND (sAMAccountName=%{User-Name}) (31) ldap1-vpn-student: --> (sAMAccountName=erik.frangez1) (31) ldap1-vpn-student: Performing search in "ou=um,dc=loki,dc=um,dc=si" with filter "(sAMAccountName=erik.frangez1)", scope "sub" (31) ldap1-vpn-student: Waiting for search result... (31) ldap1-vpn-student: User object found at DN "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" rlm_ldap (ldap1-vpn-student): Released connection (0) (31) [ldap1-vpn-student] = ok (31) } # redundant = ok (31) policy check_ldap_group_vpn { (31) if (&ldap1-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") { (31) Searching for user in group "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si" rlm_ldap (ldap1-student-um): Reserved connection (0) (31) Using user DN from request "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" rlm_ldap (ldap1-student-um): Released connection (0) (31) User is not a member of "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si" (31) if (&ldap1-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") -> FALSE (31) elsif (&ldap2-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") { (31) Searching for user in group "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si" rlm_ldap (ldap2-student-um): Reserved connection (0) (31) Using user DN from request "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" rlm_ldap (ldap2-student-um): Released connection (0) (31) User is not a member of "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si" (31) elsif (&ldap2-student-um-LDAP-Group[*] == "cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") -> FALSE (31) else { (31) [reject] = reject (31) } # else = reject (31) } # policy check_ldap_group_vpn = reject (31) } # Autz-Type LDAPS-VPN-STUDENT = reject If I run ldapsearch we could see that user is member of group, here: # IDM_VPN, Groups, QUEST, UM, loki.um.si dn: CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si objectClass: top objectClass: group cn: IDM_VPN description:: U2t1cGluYSBqZSBuYW1lbmplbmEgZG9zdG9wdSDFoXR1ZGVudG92IGRvIHN0b3Jp dGV2IFZQTi4gWiBuam8gdXByYXZsamEgSURNLg== member: CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si distinguishedName: CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si instanceType: 4 whenCreated: 20211118102555.0Z Please help me! Best, Erik On 11/29/21 9:38 PM, Alan DeKok wrote:
And I didn't notice in my last reply...
don't email me off-list. The purpose of the list is to let everyone ELSE see what problems are being solved. Email the list.
Any further emails sent directly to me will be ignored.
On Nov 29, 2021, at 3:07 PM, Erik Frangež <erik@frangez.net> wrote:
Can you please help me? Thank you!
-------- Posredovano sporočilo -------- Zadeva: Re: Problem with limiting users to group in Active Directory Datum: Sun, 28 Nov 2021 21:45:47 +0100 Od: Erik Frangež <erik@frangez.net> Za: Alan DeKok <aland@deployingradius.com>
Hi Alan,
here is whole log for one attempt:
(74) Received Access-Request Id 42 from 164.8.15.42:54972 to 164.8.100.71:21812 length 71 (74) User-Name = "erik.frangez1" (74) User-Password = "*******" (74) Service-Type = Authenticate-Only (74) NAS-Port = 0 (74) NAS-IP-Address = 164.8.15.40 (74) # Executing section authorize from file /etc/raddb/sites-enabled/guard_vpn_student (74) authorize { (74) suffix: Checking for suffix after "@" (74) suffix: No '@' in User-Name = "erik.frangez1", looking up realm NULL (74) suffix: Found realm "NULL" (74) suffix: Adding Stripped-User-Name = "erik.frangez1" (74) suffix: Adding Realm = "NULL" (74) suffix: Authentication realm is LOCAL (74) [suffix] = ok (74) guard_vpn_student_file: users: Matched entry DEFAULT at line 1 (74) [guard_vpn_student_file] = ok (74) } # authorize = ok (74) Using Autz-Type LDAPS-VPN-STUDENT (74) # Executing group from file /etc/raddb/sites-enabled/guard_vpn_student (74) Autz-Type LDAPS-VPN-STUDENT { (74) redundant { (74) ldap1-vpn-student: EXPAND (sAMAccountName=%{User-Name}) (74) ldap1-vpn-student: --> (sAMAccountName=erik.frangez1) (74) ldap1-vpn-student: Performing search in "ou=um,dc=loki,dc=um,dc=si" with filter "(sAMAccountName=erik.frangez1)", scope "sub" (74) ldap1-vpn-student: Waiting for search result... (74) ldap1-vpn-student: User object found at DN "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si" (74) [ldap1-vpn-student] = ok (74) } # redundant = ok (74) policy check_ldap_group_vpn_test { (74) if (ldap1-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") { (74) if (ldap1-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") -> FALSE (74) elsif (ldap2-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") { (74) elsif (ldap2-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") -> FALSE (74) else { (74) [reject] = reject (74) } # else = reject (74) } # policy check_ldap_group_vpn_test = reject (74) } # Autz-Type LDAPS-VPN-STUDENT = reject (74) Invalid user: [erik.frangez1] (from client guard port 0) (74) Using Post-Auth-Type Reject (74) Post-Auth-Type sub-section not found. Ignoring. (74) Delaying response for 1.000000 seconds (74) Sending delayed response (74) Sent Access-Reject Id 42 from 164.8.100.71:21812 to 164.8.15.42:54972 length 20 (74) Cleaning up request packet ID 42 with timestamp +19
User is part of group IDM_VPN on domain LOKI...
Thank you for help!
Best, Erik
On 11/28/21 7:33 PM, Alan DeKok wrote:
On Nov 28, 2021, at 12:32 PM, Erik Frangež via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am having problems with configuring Radius authentication limiting users to group in Active directory.
Here is configuration of LDAP:
We don't need to see that.
Read http://wiki.freeradius.org/list-help
In sites-enabled for radius, I have specify this:
We don't need to see that, either.
Authentication is not working. Here are logs:
Part of the logs. But whatever...
rlm_ldap (ldap1): Reserved connection (0) (392) ldap1: EXPAND (sAMAccountName=%{User-Name}) (392) ldap1: --> (sAMAccountName=user) (392) ldap1: Performing search in "ou=ou,dc=domain,dc=dc,dc=dc" with filter "(sAMAccountName=user)", scope "sub" (392) ldap1: Waiting for search result... (392) ldap1: User object found at DN "..." rlm_ldap (ldap1): Released connection (0) (392) [ldap1] = ok (392) } # redundant = ok (392) policy check_ldap_group_vpn { (392) if (&ldap1-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") { (392) Searching for user in group "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"
That seems wrong. "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" ? Why the repetition?
The default configuration works. The file mods-available/ldap has detailed instructions for getting it working with Active Directory.
Follow the instructions, and it should work.
User is member of group. Same configuration we are having for other domain and its working.
Is it *exactly* the same? i.e. with the same "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" repetition?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html