checking ad membership

[Heinrich, Sebastian]

Hello,

 

my aim is that only one group of the active directory gets access the others are rejected. I have read in this thread: http://freeradius.1045715.n5.nabble.com/Conditional-attributes-with-AD-td5541373.html

that you can use the ldap module to check group membership and check the output of the checking. I use this filter in the groupmembership checking:

 

groupname_attribute = cn

groupmembership_filter = "(objectClass=group)(member=%{<where the group in the ad is>}))" 
groupmembership_attribute = memberOf

 

I get this output of the debug of freeRADIUS:

 

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in dc=domain,dc=de, with filter (sAMAccountName=heinrich)

  [ldap] rebind to URL ldap://domain.de/CN=Configuration,DC=domain,DC=de

  [ldap] ldap_release_conn: Release Id: 0

        expand: (&(objectClass=group)(member=%{control:cn=group,cn=users,dc=domain,dc=de})) -> (&(objectClass=group)(member=))

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in cn=group,cn=users,dc=aos-stade,dc=de, with filter (&(objectClass=group)(member=))

  [ldap] object not found

  [ldap] ldap_release_conn: Release Id: 0

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in CN=Heinrich\, Sebastian,CN=Users,DC=aos-stade,DC=de, with filter (objectclass=*)

  [ldap] performing search in CN=group1,CN=Users,DC=aos-stade,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de)

  [ldap] object not found

  [ldap] performing search in CN=group2,CN=group4,CN=Users,DC=domain,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de)

  [ldap] object not found

  [ldap] performing search in CN=group3,CN=Users,DC=domain,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de)

  [ldap] object not found

  [ldap] performing search in CN=group,CN=Users,DC=domain,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de)

  [ldap] object not found

  [ldap] performing search in CN=group,CN=group4,CN=Users,DC=aos-stade,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de)

  [ldap] object not found

rlm_ldap::groupcmp: Group cn=group,cn=users,dc=aos-stade,dc=de not found or user not a member

  [ldap] ldap_release_conn: Release Id: 0

 

I have written this in my inner-tunnel:

 

If(!(Ldap-group == 'cn=group,cn=users,dc=domain,dc=de)) {

update config {

Auth-Type := Reject

}

}

 

Can anybody help me? As I understand the debug the group is checked but the user isn't member of it. I totally sure that I am a member of the group.

 

Best Regards

Sebastian Heinrich
Techn. DV 




Aluminium Oxid Stade GmbH

Johann-Rathje-Köser-Straße
21683 Stade

email  S.Heinrich at aos-stade.de
web    http://www.aos-stade.de <http://www.aos-stade.de/> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120410/ab52ec91/attachment.html>