Active directory groups

Doty, Seth seth.doty at nebraska.gov
Fri May 20 17:27:30 CEST 2011


I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this
results in the same failure in the group section.
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed


I cant remove the ou=test portion or authentication fails completely and
i get a reject:
 [ldap] performing user authorization for seth.doty
[ldap] 	expand: %{Stripped-User-Name} -> 
[ldap] 	expand: %{User-Name} -> seth.doty
[ldap] 	expand: (CN=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(CN=seth.doty)
[ldap] 	expand: dc=ad,dc=ne,dc=gov -> dc=ad,dc=ne,dc=gov
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: closing existing LDAP connection
rlm_ldap: (re)connect to ad.ne.gov:389, authentication 0
rlm_ldap: bind as stn\seth.doty/ to stone.ne.gov:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=ad,dc=ne,dc=gov, with filter
(CN=seth.doty)
rlm_ldap: ldap_search() failed: Operations error
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns fail



On Fri, 2011-05-20 at 15:26 +0100, Phil Mayers wrote:
> On 20/05/11 15:14, Doty, Seth wrote:
> > I must be doing something wrong in my filtering because it keeps dumping
> > me into unclassified instead of passing the group I assigned. I have
> > setup a security group specifically for this test and i am indeed in the
> > group.
> >
> > I set it up like this in sites-enabled/inner-tunnel because it seemed
> > this manner was a little more flexible for our needs:
> >
> > post-auth {
> >          if (Ldap-Group == "CN=STNE_Wireless_Authentication,ou=Security
> > Groups,ou=test,ou=test,dc=AD,dc=ne,dc=gov") {
> 
> This is wrong. You don't give the group DN. You give the value of 
> "groupname_attribute" in the ldap module, defaults to "cn", i.e.
> 
> post-auth {
>    if (Ldap-Group == STNS_Wireless_Authentication) {
>      ..
>    }
> }
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





More information about the Freeradius-Users mailing list