(no subject)

Graham, Robert rgraham at mem-ins.com
Fri Jun 17 20:39:05 CEST 2005


Thanks for the response.  I was kind of wondering if the location of the group in Active Directory was an issue.  But that brings up another question.  Doesn't a ldapsearch use the basedn as a starting point?  If instance, I have the basedn set as follows in radiusd.conf:

basedn = "ou=mem users,dc=mem-ins,dc=com"

And the structure of our AD is:

    |_MEM Users

And why is it that it can find the user "rgraham" but not the group.  

> I'm trying to get Freeradius configured to authenicate our vpn users
> from a Cisco 3005 concentrator against Active Directory using the ldap
> module.  When I authenicated a vpn user on a per user basis - it works
> fine.  However, I want authenicate not only the user, but also verify
> that the user is a member of a "group" in active directory.  I was
> following Dustin Doris's suggestion on Per-Client "group" matching and
> configured the huntgroups, users, and radiusd.conf accordingly.
> However, it seems to fail doing a group lookup.  I don't know if it
> matters, but the user object and group object in Active Directory are in
> different containers (OU's).  Any help would be appreciated.

You need to specify where the groups are located in AD.

> rlm_ldap: Entering ldap_groupcmp() radius_xlat:  'ou=mem
> users,dc=mem-ins,dc=com' radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem
> users,dc=mem-ins,dc=com, with filter
> (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous
> search result rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a
> member.
>     users: Matched DEFAULT at 166

The user was not found in that group, based on the lookup above.

>  groupname_attribute = cn
>  groupmembership_filter =
>  "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
>   (&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>  groupmembership_attribute = radiusGroupName

You have to modify these so you can find the group memberships.  For
example, how would you perform an ldapsearch from the command line to
find group memberships?  Take that info and put it there.  Make sure the
user you are binding with has access to read those groups.

Hope that is a little helpful.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050617/78a421d7/attachment.html>

More information about the Freeradius-Users mailing list