Problem with limiting users to group in Active Directory
Hi guys, I am having problems with configuring Radius authentication limiting users to group in Active directory. Here is configuration of LDAP: ldap ldap1 { server = "Server" port = 389 identity = DOMAIN\user password = "password" basedn = "ou=OU,dc=domain,dc=dc,dc=dc" filter = "(sAMAccountName=%{User-Name})" groupmembership_filter = "(member=%{control:Ldap-UserDn})" groupmembership_attribute = "memberOf" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 user { filter = "(sAMAccountName=%{User-Name})" scope = "sub" base_dn = "ou=OU,dc=domain,dc=dc,dc=dc" access_positive = yes rebind = yes chase_referrals=yes } group { base_dn = "ou=OU,dc=domain,dc=dc,dc=dc" filter = "(sAMAccountName=%{User-Name})" scope = 'sub' membership_filter = "(member=%{control:Ldap-UserDn})" membership_attribute = 'memberOf' } tls { start_tls = no ca_file = "/etc/openldap/certs/ldap_certs.pem" require_cert = "demand" } dictionary_mapping = ${confdir}/ldap.attrmap keepalive { idle = 60 probes = 3 interval = 3 } } Policy: check_ldap_group_vpn { if (&ldap1-LDAP-Group[*] == "CN=group,OU=Groups,OU=OU,OU=OU,DC=DOMAIN,DC=DC,DC=DC") { ok } else { reject } } In sites-enabled for radius, I have specify this: authorize { suffix guard_vpn_file Autz-Type LDAPS-VPN { redundant { ldap1 ldap2 } check_ldap_group_vpn expiration } } Authentication is not working. Here are logs: rlm_ldap (ldap1): Reserved connection (0) (392) ldap1: EXPAND (sAMAccountName=%{User-Name}) (392) ldap1: --> (sAMAccountName=user) (392) ldap1: Performing search in "ou=ou,dc=domain,dc=dc,dc=dc" with filter "(sAMAccountName=user)", scope "sub" (392) ldap1: Waiting for search result... (392) ldap1: User object found at DN "..." rlm_ldap (ldap1): Released connection (0) (392) [ldap1] = ok (392) } # redundant = ok (392) policy check_ldap_group_vpn { (392) if (&ldap1-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") { (392) Searching for user in group "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" rlm_ldap (ldap1): Reserved connection (0) (392) Using user DN from request "CN=user" rlm_ldap (ldap1): Released connection (0) (392) User is not a member of "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" (392) if (&ldap1-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") -> FALSE (392) elsif (&ldap2-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") { (392) Searching for user in group "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" rlm_ldap (ldap2): Reserved connection (0) (392) Using user DN from request "CN=user" rlm_ldap (ldap2): Released connection (0) (392) User is not a member of "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" (392) elsif (&ldap2-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") -> FALSE (392) else { (392) [reject] = reject (392) } # else = reject (392) } # policy check_ldap_group_vpn = reject (392) } # Autz-Type LDAPS-VPN = reject User is member of group. Same configuration we are having for other domain and its working. Thank you for any advise! Best, Erik
On Nov 28, 2021, at 12:32 PM, Erik Frangež via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am having problems with configuring Radius authentication limiting users to group in Active directory.
Here is configuration of LDAP:
We don't need to see that. Read http://wiki.freeradius.org/list-help
In sites-enabled for radius, I have specify this:
We don't need to see that, either.
Authentication is not working. Here are logs:
Part of the logs. But whatever...
rlm_ldap (ldap1): Reserved connection (0) (392) ldap1: EXPAND (sAMAccountName=%{User-Name}) (392) ldap1: --> (sAMAccountName=user) (392) ldap1: Performing search in "ou=ou,dc=domain,dc=dc,dc=dc" with filter "(sAMAccountName=user)", scope "sub" (392) ldap1: Waiting for search result... (392) ldap1: User object found at DN "..." rlm_ldap (ldap1): Released connection (0) (392) [ldap1] = ok (392) } # redundant = ok (392) policy check_ldap_group_vpn { (392) if (&ldap1-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") { (392) Searching for user in group "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"
That seems wrong. "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" ? Why the repetition? The default configuration works. The file mods-available/ldap has detailed instructions for getting it working with Active Directory. Follow the instructions, and it should work.
User is member of group. Same configuration we are having for other domain and its working.
Is it *exactly* the same? i.e. with the same "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" repetition? Alan DeKok.
participants (2)
-
Alan DeKok -
Erik Frangež