RE: groupmembership_filter for LDAP module [sec: unclas]
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Alexei Monastyrnyi Sent: Tuesday, 22 August 2006 07:12 To: FreeRadius users mailing list Subject: groupmembership_filter for LDAP module Hi List. I am trying to enable group filter to allow only certain LDAP users to be able to login to my VPN hub. I run FreeRADIUS 1.0.2 on SPARC Solaris 9 All users are in group cn=vpnusers,ou=group,dc=mydomain,dc=com listed as "memberUid"s In radiusd.conf I have the following filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))" groupmembership_filter = (&(&(cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Nam e:-%{User-Name}})) groupmembership_attribute = "vpnusers" It doesn't seem to work, no sign of searching for "vpnusers" in LDAP server logs and users that are not in this group are still able to log in. I may be missing something... Hints of where to look would be highly appreciated. Cheers, A. Reply: 1. You need to have an LDAP-Group check item in users: DEFAULT LDAP-Group == vpnusers Service-Type = Administrative-User 2. You need groupname_attribute. This is ANDed to the filter to provide (below). groupname_attribute = cn 3. Your filter is overcomplicated, all you need is this: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}} )) The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and 2. That's it. As long as the other stuff is right like the binddn, the base dn this should at least generate ldap activity in the radiusd -X output. Regards, Frank Ranner
Thanks for your advice! Something is still missing.... Here is what I have in LDAP section of radiusd.conf basedn = "dc=mydomain,dc=com" filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{U ser-Name}}))" groupmembership_filter = (&(objectClass=posixGroup)(memberUid=%{Stri pped-User-Name:-%{User-Name}})) groupname_attribute = "cn" And in "users" DEFAULT Auth-Type = LDAP DEFAULT LDAP-Group == vpnusers Service-Type = Administrative-Use radiusd -X says when reading LDAP section ... ldap: basedn = "dc=mydomain,dc=com" ldap: filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))" ldap: base_filter = "(objectclass=radiusprofile)" ldap: default_profile = "(null)" ldap: profile_attribute = "(null)" ldap: password_header = "(null)" ldap: password_attribute = "(null)" ldap: access_attr = "(null)" ldap: groupname_attribute = "cn" ldap: groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))" ldap: groupmembership_attribute = "(null)" ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap" ldap: ldap_debug = 0 ldap: ldap_connections_number = 5 ldap: compare_check_items = yes ldap: access_attr_used_for_allow = yes ldap: do_xlat = yes rlm_ldap: Registering ldap_groupcmp for Ldap-Group ... But it says nothing about any search for "vpnusers" group during login, which is still successful for users outside the group.... A. on 8/22/2006 9:47 AM Ranner, Frank MR wrote:
-----Original Message----- From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Alexei Monastyrnyi Sent: Tuesday, 22 August 2006 07:12 To: FreeRadius users mailing list Subject: groupmembership_filter for LDAP module
Hi List.
I am trying to enable group filter to allow only certain LDAP users to be able to login to my VPN hub.
I run FreeRADIUS 1.0.2 on SPARC Solaris 9
All users are in group cn=vpnusers,ou=group,dc=mydomain,dc=com listed as "memberUid"s
In radiusd.conf I have the following
filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
groupmembership_filter = (&(&(cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Nam e:-%{User-Name}}))
groupmembership_attribute = "vpnusers"
It doesn't seem to work, no sign of searching for "vpnusers" in LDAP server logs and users that are not in this group are still able to log in.
I may be missing something... Hints of where to look would be highly appreciated.
Cheers, A.
Reply:
1. You need to have an LDAP-Group check item in users:
DEFAULT LDAP-Group == vpnusers Service-Type = Administrative-User
2. You need groupname_attribute. This is ANDed to the filter to provide (below). groupname_attribute = cn
3. Your filter is overcomplicated, all you need is this: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}} )) The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and 2.
That's it. As long as the other stuff is right like the binddn, the base dn this should at least generate ldap activity in the radiusd -X output.
Regards, Frank Ranner
participants (2)
-
Alexei Monastyrnyi -
Ranner, Frank MR