Problem with LDAP group searches

Graham, Robert rgraham at mem-ins.com
Fri Jun 17 10:27:24 CEST 2005 

I'm trying to get Freeradius configured to authenicate our vpn users from a Cisco 3005 concentrator against Active Directory using the ldap module.  When I authenicated a vpn user on a per user basis - it works fine.  However, I want authenicate not only the user, but also verify that the user is a member of a "group" in active directory.  I was following Dustin Doris's suggestion on Per-Client "group" matching and configured the huntgroups, users, and radiusd.conf accordingly.  However, it seems to fail doing a group lookup.  I don't know if it matters, but the user object and group object in Active Directory are in different containers (OU's).  Any help would be appreciated.  

Thanks
Robert Graham

##########
Debug out:
##########

rad_recv: Access-Request packet from host 172.16.1.91:1054, id=40, length=119
        User-Name = "rgraham"
        User-Password = "XXXXXXXXXX"
        NAS-Port = 1036
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Called-Station-Id = "192.168.15.1"
        Calling-Station-Id = "192.168.15.2"
        Tunnel-Client-Endpoint:0 = "192.168.15.2"
        NAS-IP-Address = 172.16.1.91
        NAS-Port-Type = Virtual
rad_lowerpair:  User-Name now 'rgraham'
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for rgraham
radius_xlat:  '(sAMAccountName=rgraham)'
radius_xlat:  'ou=mem users,dc=mem-ins,dc=com'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mem_co_dept1.mem-ins.com:389, authentication 0
rlm_ldap: bind as cn=administrator,ou=admin,ou=mem users,dc=mem-ins,dc=com/XXXXXXXXXX to mem_co_dept1.mem-ins.com:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (sAMAccountName=rgraham)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user rgraham authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "rgraham", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=mem users,dc=mem-ins,dc=com'
radius_xlat:  '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=mem users,dc=mem-ins,dc=com, with filter (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM Users,DC=mem-ins,DC=com))))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a member.
    users: Matched DEFAULT at 166
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Reject
  rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 40 to 172.16.1.91:1054
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 40 with timestamp 42b1c93a
Nothing to do.  Sleeping until we see a request.

############
Users file:
############

DEFAULT Huntgroup-Name == vpnusers, LDAP-Group == MEMVPNFlex, Auth-Type := LDAP
        OU = TestGroup
        Fall-Through = 1

############
huntgroup
############

vpnusers        NAS-IP-Address == 172.16.1.91

#######################
ldap section of radiusd.conf
#######################

 ldap {
                server = "mem_co_dept1.mem-ins.com"
                basedn = "ou=mem users,dc=mem-ins,dc=com"
                filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
                identity = "cn=administrator,ou=admin,ou=mem users,dc=mem-ins,dc=com"
                password = XXXXXXXXXX
                start_tls = no
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                ldap_connections_number = 5
	    password_attribute = userPassword
                groupname_attribute = cn
                groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
                groupmembership_attribute = radiusGroupName
                timeout = 4
                timelimit = 3
                net_timeout = 1
                }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050617/627eccde/attachment.html>

More information about the Freeradius-Users mailing list