Authorization with LDAP Group, Authentication with MS AD

[db7td at gmx.de]

Hi,

I am doing authentication with smb/ntlm and want additionally check if the user belongs to a special group. The first group-lookup looks good (fails, because the user is not in the group), but there is always a second one that is grants permission (wrong!):

rlm_ldap: user xxx authorized to use remote access


What can be the reason for this?
  Dietmar



rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=..., with filter (sAMAccountName=xxx)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(|(&(objectClass=GroupOfNames)(member=CN=....)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=G_wlan-data,ou=Groups,dc=...)))
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=xxx,OU=..., with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "files" returns notfound for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for xxx
radius_xlat:  '(sAMAccountName=xxx)'
radius_xlat:  'dc=.....'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=..., with filter (sAMAccountName=xxx)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user xxx authorized to use remote access <--- WHY?!
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0