Can't load LDAP groups 3.0.7
Hi All, I am trying to reconfigure from version 2.1.12 to 3.0.7 and I am having an issue checking LDAP groups in the post-auth section. I'm doing EAP-PEAP for authentication, and I want to check for group membership in post-auth, and assign a VLAN. I've tried putting the check in post-auth of "inner-tunnel" as well as post-auth of "default". The result was the same. I'm expecting to see a comparison of all the users groups with the one I have specified, but that does not occur. I do see a successful search for the user: rlm_ldap (ldap): Reserved connection (4) (8) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (samaccountname=daldwinc) (8) ldap: Performing search in "x" with filter "(samaccountname=user1)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "CN=David A (x),x" (8) ldap: Processing user attributes (8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok 2.1.12 LDAP config: ldap x.ldap { server = "x" identity = "x" port = 636 password = x basedn = "dc=x" filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 50 timeout = 20 timelimit = 20 net_timeout = 10 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = userPassword edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))" groupmembership_attribute = memberof set_auth_type = yes } 3.0.7 LDAP config: ldap { server = 'x' port = 389 identity = 'x' password = x base_dn = 'x' update { control:Password-With-Header += 'userPassword' control: += 'radiusCheckAttributes' reply: += 'radiusReplyAttributes' } user { base_dn = 'x' filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" } group { base_dn = 'x' filter = '(objectClass=posixGroup)' membership_filter = "(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))" membership_attribute = 'memberOf' } profile { } client { base_dn = 'x' filter = '(objectClass=radiusClient)' attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } options { chase_referrals = yes rebind = yes timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = yes ca_file = ${certdir}/ca.pem ca_path = ${certdir} certificate_file = ${certdir}/x.ca-2015-12.crt private_key_file = ${certdir}/x.ca.key } pool { start = 5 min = 4 max = ${thread[pool].max_servers} spare = 3 uses = 0 lifetime = 0 idle_timeout = 60 retry_delay = 1 } } /etc/raddb/sites-enabled/inner-tunnel: server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } files -sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } session { radutmp } post-auth { -sql ldap if (ldap-LDAP-Group == group1 ) { update reply { Aruba-User-Vlan := 1020 } } Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap } Debug excerpt (forgive me for not including the full output, its very cumbersome to sanitize.) (8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) [ldap] = noop (8) if (ldap-LDAP-Group == group1 ) { (8) if (ldap-LDAP-Group == group1 ) -> FALSE (8) } # post-auth = noop Thanks in advance, Dave -- Dave Aldwinckle
I discovered the problem: /etc/raddb/mods-enabled/ldap # Override the normal cache attribute (<inst>-LDAP-Group) # and create a custom attribute. This can help if multiple # module instances are used in fail-over. I was referring to ldap-LDAP-Group as suggested by the documentation. I removed the instance name and tried LDAP-Group and everything worked as expected. Dave Aldwinckle On 15-05-25 12:27 PM, Dave Aldwinckle wrote:
Hi All,
I am trying to reconfigure from version 2.1.12 to 3.0.7 and I am having an issue checking LDAP groups in the post-auth section.
I'm doing EAP-PEAP for authentication, and I want to check for group membership in post-auth, and assign a VLAN. I've tried putting the check in post-auth of "inner-tunnel" as well as post-auth of "default". The result was the same. I'm expecting to see a comparison of all the users groups with the one I have specified, but that does not occur.
I do see a successful search for the user:
rlm_ldap (ldap): Reserved connection (4) (8) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}}) (8) ldap: --> (samaccountname=daldwinc) (8) ldap: Performing search in "x" with filter "(samaccountname=user1)", scope "sub" (8) ldap: Waiting for search result... (8) ldap: User object found at DN "CN=David A (x),x" (8) ldap: Processing user attributes (8) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (8) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (4) (8) [ldap] = ok
2.1.12 LDAP config:
ldap x.ldap { server = "x" identity = "x" port = 636 password = x basedn = "dc=x" filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 50 timeout = 20 timelimit = 20 net_timeout = 10 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap password_attribute = userPassword edir_account_policy_check = no groupname_attribute = cn groupmembership_filter = "(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))" groupmembership_attribute = memberof set_auth_type = yes }
3.0.7 LDAP config:
ldap { server = 'x' port = 389 identity = 'x' password = x base_dn = 'x' update { control:Password-With-Header += 'userPassword' control: += 'radiusCheckAttributes' reply: += 'radiusReplyAttributes' } user { base_dn = 'x' filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})" } group { base_dn = 'x' filter = '(objectClass=posixGroup)' membership_filter = "(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))" membership_attribute = 'memberOf' } profile { } client { base_dn = 'x' filter = '(objectClass=radiusClient)' attribute { ipaddr = 'radiusClientIdentifier' secret = 'radiusClientSecret' } } options { chase_referrals = yes rebind = yes timeout = 10 timelimit = 3 net_timeout = 1 idle = 60 probes = 3 interval = 3 ldap_debug = 0x0028 } tls { start_tls = yes ca_file = ${certdir}/ca.pem ca_path = ${certdir} certificate_file = ${certdir}/x.ca-2015-12.crt private_key_file = ${certdir}/x.ca.key } pool { start = 5 min = 4 max = ${thread[pool].max_servers} spare = 3 uses = 0 lifetime = 0 idle_timeout = 60 retry_delay = 1 } }
/etc/raddb/sites-enabled/inner-tunnel:
server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { &Proxy-To-Realm := LOCAL } eap { ok = return } files -sql -ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } eap } session { radutmp } post-auth { -sql ldap if (ldap-LDAP-Group == group1 ) { update reply { Aruba-User-Vlan := 1020 } } Post-Auth-Type REJECT { -sql attr_filter.access_reject update outer.session-state { Module-Failure-Message := &request:Module-Failure-Message } } } pre-proxy { } post-proxy { eap }
Debug excerpt (forgive me for not including the full output, its very cumbersome to sanitize.)
(8) # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel (8) post-auth { (8) [ldap] = noop (8) if (ldap-LDAP-Group == group1 ) { (8) if (ldap-LDAP-Group == group1 ) -> FALSE (8) } # post-auth = noop
Thanks in advance, Dave
On 25 May 2015, at 13:53, Dave Aldwinckle <daldwinc@uwaterloo.ca> wrote:
I discovered the problem:
/etc/raddb/mods-enabled/ldap
# Override the normal cache attribute (<inst>-LDAP-Group) # and create a custom attribute. This can help if multiple # module instances are used in fail-over.
I was referring to ldap-LDAP-Group as suggested by the documentation. I removed the instance name and tried LDAP-Group and everything worked as expected.
Right, because you didn't provide an instance name, you just used the default instance. ldap { } Right? I'll add a note about that. -Arran
Hi Arran, That's correct, I'm using the default instance. Regards, Dave On 15-05-25 02:02 PM, Arran Cudbard-Bell wrote:
On 25 May 2015, at 13:53, Dave Aldwinckle <daldwinc@uwaterloo.ca> wrote:
I discovered the problem:
/etc/raddb/mods-enabled/ldap
# Override the normal cache attribute (<inst>-LDAP-Group) # and create a custom attribute. This can help if multiple # module instances are used in fail-over.
I was referring to ldap-LDAP-Group as suggested by the documentation. I removed the instance name and tried LDAP-Group and everything worked as expected. Right, because you didn't provide an instance name, you just used the default instance.
ldap {
}
Right?
I'll add a note about that.
-Arran
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Arran Cudbard-Bell -
Dave Aldwinckle