Conditional attributes with AD

[Matthew Newton]

Hi,

On Mon, Mar 12, 2012 at 09:07:23PM +0000, Scott McLane Gardner wrote:
> ++? if (Ldap-Group == "PWHC Secure Wireless")
>   [ldap] Entering ldap_groupcmp()
> 	expand: ou=usersusers,dc=example,dc=com -> ou=users,dc=example,dc=com
> 	expand: 
> (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupO
> fUniqueNames)(uniquemember=%{Ldap-UserDn}))) ->
> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(
> uniquemember=)))
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in ou=users,dc=example,dc=com, with filter
> (&(memberOf=PWHC Secure
> Wireless)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniq
> ueNames)(uniquemember=))))
>   [ldap] object not found

This is what freeradius is searching ^^^

> It looks to me like it's binding and searching and deciding that I'm not a
> member of that group, however I know that I am because if I do a
> command-line ldapsearch it shows that I'm a member of that group.

You're not searching the same thing:

> # ldapsearch -x -b 'ou=users,dc=example,dc=com' -h adserver.example.com -D
> cn=admin,ou=users,dc=example,dc=com -w password 'cn=username' memberOf

> Can anyone tell me what I'm doing wrong?

Try looking at the groupmembership_filter option - work out a
search that works on the command line (with a filter), and then
fit that filter into the ldap config.

It should probably something like (untested)

groupname_attribute = cn
groupmembership_filter = "(&(objectClass=group)(member=%{Ldap-UserDn}))"
groupmembership_attribute = memberOf

Run in debug, look at what it's actually searching, match to the
config file, tweak, rinse & repeat.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>