ldap group auth - always allowing user.

devnull devnull at regxsolutions.com
Wed Mar 10 18:25:06 CET 2010


I still have to better figure out how to correctly search for "VPN
Users", but it will still allow access if it does not find a user in
that group. I have the following in: postauth_users

Shouldn't the "DEFAULT Auth-Type := Reject" reject that user since it
did not find him in the group?

DEFAULT Ldap-Group == "VPN USERS", Auth-Type := Accept
DEFAULT Auth-Type := Reject
        Fall-Through  = no

In debug I can see,

Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "vtest" with password "test1234"
[ldap] user DN: uid=vtest,ou=People, dc=company, dc=dom
  [ldap] (re)connect to company-bk1.company.dom:389, authentication 1
  [ldap] bind as uid=vtest,ou=People, dc=company, dc=dom/test1234 to
company-bk1.company.dom:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user vtest authenticated succesfully
++[ldap] returns ok
+- entering group post-auth {...}
  [ldap] Entering ldap_groupcmp()
[files] 	expand: ou=People,dc=company,dc=dom -> ou=People,dc=company,dc=dom
[files] 	expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=company,dc=dom, with filter
(&(ou=VPN USERS)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group VPN USERS not found or user is not a member.
[files] postauth_users: Matched entry DEFAULT at line 2
++[files] returns ok

Thanks,

Kyle



More information about the Freeradius-Users mailing list