I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this results in the same failure in the group section. rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed I cant remove the ou=test portion or authentication fails completely and i get a reject: [ldap] performing user authorization for seth.doty [ldap] expand: %{Stripped-User-Name} -> [ldap] expand: %{User-Name} -> seth.doty [ldap] expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) -> (CN=seth.doty) [ldap] expand: dc=ad,dc=ne,dc=gov -> dc=ad,dc=ne,dc=gov rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: closing existing LDAP connection rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0 rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter (CN=seth.doty) rlm_ldap: ldap_search() failed: Operations error [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns fail On Fri, 2011-05-20 at 15:26 +0100, Phil Mayers wrote:
On 20/05/11 15:14, Doty, Seth wrote:
I must be doing something wrong in my filtering because it keeps dumping me into unclassified instead of passing the group I assigned. I have setup a security group specifically for this test and i am indeed in the group.
I set it up like this in sites-enabled/inner-tunnel because it seemed this manner was a little more flexible for our needs:
post-auth { if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") {
This is wrong. You don't give the group DN. You give the value of "groupname_attribute" in the ldap module, defaults to "cn", i.e.
post-auth { if (Ldap-Group == STNS_Wireless_Authentication) { .. } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html