Ldap group

Bert Beaudin bbeaudin at relianceglobalcom.com
Thu Oct 9 20:10:10 CEST 2008 

Hello 
 
I have ldap working to authencate users to a cisci switch. I now want to
limit it to group membership. Any help would be great. 
 
Here is what I have in my ldap config for the groups. 
 
#  Group membership checking.  Disabled by default.
        #
         groupname_attribute = "cn"
         groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(object
Class=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
         groupmembership_attribute = "radius"
 
        #compare_check_items = yes
        # do_xlat = yes
        #access_attr_used_for_allow = yes
 
Here is waht I see in my logs with radiusd -X
 
Ready to process requests.
rad_recv: Access-Request packet from host 10.12.8.230 port 1645, id=35,
length=86
        User-Name = "bbeaudin"
        User-Password = "xxxxxxx^"
        NAS-Port = 194
        NAS-Port-Id = "tty194"
        NAS-Port-Type = Virtual
        Calling-Station-Id = "10.12.8.71"
        NAS-IP-Address = 10.12.8.230
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "bbeaudin", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
rlm_ldap: Entering ldap_groupcmp()
        expand: OU=Employees,DC=yipes,DC=com ->
OU=Employees,DC=yipes,DC=com
        expand: (&(samaccountname=%{user-name})) ->
(&(samaccountname=bbeaudin))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to dendc1.yipes.com:389, authentication 0
rlm_ldap: bind as bbeaudin at yipes.com/xxxxxxxx to dendc1.yipes.com:389
rlm_ldap: waiting for bind result ...
request done: ld 0x121a6760 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in OU=Employees,DC=yipes,DC=com, with filter
(&(samaccountname=bbeaudin))
request done: ld 0x121a6760 msgid 2
rlm_ldap: ldap_release_conn: Release Id: 0
        expand:
(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectC
lass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
(|(&(objectClass=GroupOfNames)(member=CN\3dBert Beaudin\2cOU\3dIT
Staff\2cOU\3dEmployees\2cDC\3dyipes\2cDC\3dcom))(&(objectClass=GroupOfUn
iqueNames)(uniquemember=)))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=radius,dc=yipes,dc=com, with filter
(|(&(objectClass=GroupOfNames)(member=CN\3dBert Beaudin\2cOU\3dIT
Staff\2cOU\3dEmployees\2cDC\3dyipes\2cDC\3dcom))(&(objectClass=GroupOfUn
iqueNames)(uniquemember=)))
request done: ld 0x121a6760 msgid 3
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in CN=Bert Beaudin,OU=IT
Staff,OU=Employees,DC=yipes,DC=com, with filter (objectclass=*)
request done: ld 0x121a6760 msgid 4
rlm_ldap::ldap_groupcmp: ldap_get_values() failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[files] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for bbeaudin
        expand: (&(samaccountname=%{user-name})) ->
(&(samaccountname=bbeaudin))
        expand: OU=Employees,DC=yipes,DC=com ->
OU=Employees,DC=yipes,DC=com
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in OU=Employees,DC=yipes,DC=com, with filter
(&(samaccountname=bbeaudin))
request done: ld 0x121a6760 msgid 5
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: Pairs do not match. Rejecting user.
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns reject
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> bbeaudin
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 35 to 10.12.8.230 port 1645
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 35 with timestamp +9
Ready to process requests.
 
 
 
Thanks,

Bert Beaudin
Systems Administrator
RelianceGlobalcom Services, Inc.
Office:303-785-6641
Cell:303-478-7789
Fax:415-677-9534
bbeaudin at relianceglobalcom.com <mailto:bbeaudin at relianceglobalcom.com> 
www.relianceglobalcom.com <blocked::http://www.yipes.com/> 
 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081009/2865c706/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 4512 bytes
Desc: image001.jpg
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081009/2865c706/attachment.jpg>

More information about the Freeradius-Users mailing list