ldap group auth - always allowing user.
I still have to better figure out how to correctly search for "VPN Users", but it will still allow access if it does not find a user in that group. I have the following in: postauth_users Shouldn't the "DEFAULT Auth-Type := Reject" reject that user since it did not find him in the group? DEFAULT Ldap-Group == "VPN USERS", Auth-Type := Accept DEFAULT Auth-Type := Reject Fall-Through = no In debug I can see, Found Auth-Type = LDAP +- entering group LDAP {...} [ldap] login attempt by "vtest" with password "test1234" [ldap] user DN: uid=vtest,ou=People, dc=company, dc=dom [ldap] (re)connect to company-bk1.company.dom:389, authentication 1 [ldap] bind as uid=vtest,ou=People, dc=company, dc=dom/test1234 to company-bk1.company.dom:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] user vtest authenticated succesfully ++[ldap] returns ok +- entering group post-auth {...} [ldap] Entering ldap_groupcmp() [files] expand: ou=People,dc=company,dc=dom -> ou=People,dc=company,dc=dom [files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,dc=company,dc=dom, with filter (&(ou=VPN USERS)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group VPN USERS not found or user is not a member. [files] postauth_users: Matched entry DEFAULT at line 2 ++[files] returns ok Thanks, Kyle
participants (1)
-
devnull