On 11/19/14, 2:49 PM, "Winders, Timothy A" <twinders@southplainscollege.edu> wrote:
On 11/19/14, 1:35 PM, "Arran Cudbard-Bell" <a.cudbardb@freeradius.org> wrote:
On 19 Nov 2014, at 13:17, Winders, Timothy A <twinders@southplainscollege.edu> wrote:
I have FreeRadius 3.0.3 installed on Ubuntu 14.0.4 (free radius 3.0.3-ppa1~trustry package)
I have everything setup with Active Directory for user authentication. This is working correctly, but I am having a problem with Active Directory group membership checking. It appears the problem is with the way FreeRadius escapes the UserDN when doing the query.
Yeah pairparsevalue was molesting the DN string before writing it to the DN attribute.
It shouldn't really have been de-escaping \, as it's not something we escape normally, and the LDAP code shouldn't of been calling a function that used pairparsevalue anyway.
So i've fixed both those issues. The fix will go in 3.0.5 which'll be released very soon. If you could build from v3.0.x HEAD and check it's resolved, that'd be helpful.
OK. I think I have done this correctlyŠ
I saved my existing /etc/freeradius configuration files and then removed all the freeradius-3.0.3 packages from the system.
I downloaded the v3.0.x.zip file from https://github.com/FreeRADIUS/freeradius-server/archive/v3.0.x.zip
I unzipped the file to /usr/local/src and ran ./configure from the directory, looked through the output and corrected all relevant WARNING messages, installing a TON of -dev packages to the system. Finally ran make and make install.
I saved the new /usr/local/etc/raddb files and moved my previous /etc/freeradius/* files to /usr/local/etc/raddb/*
/usr/local/sbin/radiusd -v reports FreeRADIUS Version 3.0.5, for host x86_64-unknown-linux-gnu
I ran /usr/local/sbin/radiusd -XC to check configured files. Fixed the problems with clients.conf (ipaddr format changes between 3.0.3 and 3.0.5?) and finally ran /usr/local/sbin/radiusd -X and connected with my client.
I got the same badly escaped DN as before.
(12) if (LDAP-Group == "CN=Students Security Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu") { (12) Searching for user in group "CN=Students Security Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu" rlm_ldap (ldap): Reserved connection (2) (12) Using user DN from request "CN=Winders\, Tim (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu" (12) Checking for user in group objects (12) EXPAND (&(objectClass=group)(member=%{control:Ldap-UserDn})) (12) --> (&(objectClass=group)(member=CN\3dWinders\5c\5c\2c Tim \280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu ) ) (12) Performing search in 'CN=Students Security Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu' with filter '(&(objectClass=group)(member=CN\3dWinders\5c\5c\2c Tim \280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu ) )', scope 'sub' (12) Waiting for search result... (12) Search returned no results (12) Search returned not found
Either I downloaded the wrong source files, or the change you thought you corrected didn¹t fix the problem...
I saw Alan replied, but I’ll reply here to keep the previous message thread in tact… To Alan - I’ll look for the instructions on building the deb packages for the 3.0.5 release and decide if that makes sense for me. I realized in my test above, I only tested the group membership_filter attribute (giving the escape problem above), but did not test test the membership_attribute = "memberOf". I removed the membership_filter and added the membership_attribute and IT WORKS! I’ve snipped some of the debug for clarity, but you can see the unfiltered search is now using the unescaped UserDn! (12) if (LDAP-Group == "CN=Students Security Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu") { (12) Searching for user in group "CN=Students Security Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu" (12) Using user DN from request "CN=Winders\, Tim (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu" (12) Checking user object membership (memberOf) attributes (12) Performing unfiltered search in 'CN=Winders\, Tim (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu', scope 'base' (12) Waiting for search result... (12) Processing group membership value "CN=Students Security Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu" (12) User found. Comparison between membership: dn, check: dn (12) if (LDAP-Group == "CN=Students Security Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu") -> TRUE So, at least part of the code is correct. -- Tim Winders Associate Dean of Information Technology South Plains College (806) 716-2369