Problem with LDAP group searches

Graham, Robert rgraham at mem-ins.com
Fri Jun 17 21:34:57 CEST 2005


>> I'm trying to get Freeradius configured to authenicate our vpn users
>> from a Cisco 3005 concentrator against Active Directory using the ldap
>> module.  When I authenicated a vpn user on a per user basis - it works
>> fine.  However, I want authenicate not only the user, but also verify
>> that the user is a member of a "group" in active directory.  I was
>> following Dustin Doris's suggestion on Per-Client "group" matching and
>> configured the huntgroups, users, and radiusd.conf accordingly.
>> However, it seems to fail doing a group lookup.  I don't know if it
>> matters, but the user object and group object in Active Directory are in
>> different containers (OU's).  Any help would be appreciated.
>>
>
>You need to specify where the groups are located in AD.

But isn't this the purpose of setting the basedn in radiusd.conf?  Or is there another seeting that I need to configure for ldap group searches?

>
>> rlm_ldap: Entering ldap_groupcmp() radius_xlat:  'ou=mem
>> users,dc=mem-ins,dc=com' radius_xlat:
>> '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
>> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
>> Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0
>> rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem
>> users,dc=mem-ins,dc=com, with filter
>> (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
>> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
>> Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous
>> search result rlm_ldap: ldap_release_conn: Release Id: 0
>> rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a
>> member.
>>     users: Matched DEFAULT at 166
>
>The user was not found in that group, based on the lookup above.

The user is a member of the MEMVPNFlex group in AD

>
>>  groupname_attribute = cn
>>  groupmembership_filter =
>>  "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
>>   (&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>>  groupmembership_attribute = radiusGroupName
>
>You have to modify these so you can find the group memberships.  For
>example, how would you perform an ldapsearch from the command line to
>find group memberships?  Take that info and put it there.  Make sure the
>user you are binding with has access to read those groups.
>
>Hope that is a little helpful.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050617/c120b472/attachment.html>


More information about the Freeradius-Users mailing list