LDAP Groups and EAP

Brian Wilson briw111 at yahoo.com
Mon Jan 14 19:47:15 CET 2008


I tried updating to version 2.0.  I like the debug interface much better, it makes it alot easier to read.  Nice job!

Unfortunately, this upgrade introduced a new issue for me.  When doing group ldap searches, it looks like the Ldap-UserDN variable doesn't get populated.  The server successfully binds and finds the user, but in the expand section:

rlm_ldap: ldap_release_conn: Release Id: 0
        expand: (|(&objectClass=GroupOfNames)(member=%{Ldap-UserDN}))(&objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDN})))->(|(&objectClass=GroupOfNames)(member=))(&(objectClass=GrouOfUniqueNames)(uniquemember=)))

It then fails to find the ldap group, because of the member= and uniquemember= are blank.  A few lines below that, though, it comes up with the correct full DN search:

rlm_ldap: performing search in cn=somegroup,ou=something,ou=something with filter (|(&objectClass=GroupOfNames)(member=))(&(objectClass=GrouOfUniqueNames)(uniquemember=)))
rlm_ldap: object not found or got ambigous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing serach in cn=xxx,ou=something,ou=something with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: ldap_get_values failed

I tried using my old config from 1.1, as well as re-writing it, as well as using the new and old ldap.attrmap.  This is verified to work in version 1.1 for me.

This is against eDirectory, configured with the --with-edir option




----- Original Message ----
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Saturday, January 12, 2008 3:40:39 AM
Subject: Re: LDAP Groups and EAP

Brian Wilson wrote:
>      I am running Freeradius 1.1.0

  Please upgrade to at least 1.1.7.  It solves a lot of security issues,
*and* helps with the problem you're seeing, too.

>    When I try to authenticate, the radius server receives about 7
> Access-requests.

  That's the way EAP works.

>        Notice that there is no additional call to ldap_group between the
> authorize and the resulting failure in the files module.

  The *inner* tunnel session doesn't match a huntgroup.

>      Is there something i'm missing in the configuration file?

  I would suggest trying 2.0.  The new virtual server feature should
make this configuration much simpler.  The new "unlang" feature should
also simplify the writing of policies.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080114/b3304c56/attachment.html>


More information about the Freeradius-Users mailing list