groupmembership_filter for LDAP module [sec: unclas]

Alexei Monastyrnyi alexeim at orcsoftware.com
Tue Aug 22 15:08:36 CEST 2006 

Thanks for your advice!

Something is still missing....

Here is what I have in LDAP section of radiusd.conf

                basedn = "dc=mydomain,dc=com"
                filter = 
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{U
ser-Name}}))"
                groupmembership_filter = 
(&(objectClass=posixGroup)(memberUid=%{Stri
pped-User-Name:-%{User-Name}}))

                groupname_attribute = "cn"

And in "users"

DEFAULT Auth-Type = LDAP
DEFAULT LDAP-Group == vpnusers
                Service-Type = Administrative-Use

radiusd -X says when reading LDAP section

...
 ldap: basedn = "dc=mydomain,dc=com"
 ldap: filter = 
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
 ldap: base_filter = "(objectclass=radiusprofile)"
 ldap: default_profile = "(null)"
 ldap: profile_attribute = "(null)"
 ldap: password_header = "(null)"
 ldap: password_attribute = "(null)"
 ldap: access_attr = "(null)"
 ldap: groupname_attribute = "cn"
 ldap: groupmembership_filter = 
"(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))"
 ldap: groupmembership_attribute = "(null)"
 ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
 ldap: ldap_debug = 0
 ldap: ldap_connections_number = 5
 ldap: compare_check_items = yes
 ldap: access_attr_used_for_allow = yes
 ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
...

But it says nothing about any search for "vpnusers" group during login, 
which is still successful for users outside the group....

A.

on 8/22/2006 9:47 AM Ranner, Frank MR wrote:
> -----Original Message-----
> From:
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freeradius.or
> g
> [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freer
> adius.org] On Behalf Of Alexei Monastyrnyi
> Sent: Tuesday, 22 August 2006 07:12
> To: FreeRadius users mailing list
> Subject: groupmembership_filter for LDAP module
>
> Hi List.
>
> I am trying to enable group filter to allow only certain LDAP users to
> be able to login to my VPN hub.
>
> I run FreeRADIUS 1.0.2 on SPARC Solaris 9
>
> All users are in group
> cn=vpnusers,ou=group,dc=mydomain,dc=com
> listed as "memberUid"s
>
> In radiusd.conf I have the following
>
> filter =
> "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
>
> groupmembership_filter =
> (&(&(cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Nam
> e:-%{User-Name}}))
>
> groupmembership_attribute = "vpnusers"
>
> It doesn't seem to work, no sign of searching for "vpnusers" in LDAP
> server logs and users that are not in this group are still able to log
> in.
>
> I may be missing something... Hints of where to look would be highly
> appreciated.
>
> Cheers,
> A.
>
> Reply:
>
> 1. You need to have an LDAP-Group check item in users:
>
> DEFAULT	LDAP-Group == vpnusers
> 		Service-Type = Administrative-User
>
>
> 2. You need groupname_attribute. This is ANDed to the filter to provide
> (below).
> 	groupname_attribute = cn
>
> 3. Your filter is overcomplicated, all you need is this:
> (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}
> ))
>    The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and
> 2.
>
> That's it. As long as the other stuff is right like the binddn, the base
> dn this
> should at least generate ldap activity in the radiusd -X output.
>
> Regards,
> Frank Ranner
>

More information about the Freeradius-Users mailing list