LDAP no group

Jean Carlos Coelho coelho at teltecsolutions.com.br
Fri Dec 13 12:49:03 CET 2013 

Hi!

Simple question, my client has configured the ldap database with no ou=groups, only with ou=people and all the users have some different object classes, some “students” and some “teachers”, the ldap database does not have the posixgroup or memberUid… my ldap configuration for search “group” is:


  groupname_attribute = ou

  groupmembership_filter = "(&(dc=domain,dc=org)(uid=%u))”

I have tried many other options above.. :(


This is some user example:

Group?


dn: ou=students,dc=domain,dc=org

ou: students

objectClass: organizationalUnit

objectClass: top


dn: ou=teachers,dc=domain,dc=org

ou: teachers

objectClass: organizationalUnit

objectClass: top


dn: ou=employees,dc=domain,dc=org

ou: employees

objectClass: organizationalUnit

objectClass: top


———

User


dn: uid=19221422470,ou=student,dc=ufsm,dc=br

userPassword:: DDDDDDDDDDDDDDDDDD

mail: fab at cpd.domain.org

eduPersonPrincipalName: OJLADOIA-CXQLBAAA at domain.org

uid: 19221422470

objectClass: person

objectClass: inetOrgPerson

objectClass: eduPerson

objectClass: sambaSamAccount

objectClass: brPerson

sambaNTPassword: DDDDDDDDDDDDDDDDDD

sambaLMPassword: DDDDDDDDDDDDDDDDDD

cn: Student Name

sn: Student Last Name

sambaSID: 19221422470


dn: brEduAffiliation=1,uid=19221422470,ou=students,dc=domain,dc=org

objectClass: brEduPerson

brEduAffiliation: 1

brEntranceDate: 20120503

brEduAffiliationType: student


—————————

Radius debug output (USER OK.. But can’t search “groups”)…


radtest 42833582820 teste2013 200.132.39.49:1812 100 123456789

Sending Access-Request of id 124 to 200.132.39.49 port 1812

User-Name = "42833582820"

User-Password = "teste2013"

NAS-IP-Address = 200.132.39.49

NAS-Port = 100

Message-Authenticator = 0x00000000000000000000000000000000

rad_recv: Access-Accept packet from host 200.132.39.49 port 1812, id=124, length=20


# Executing section post-auth from file /etc/freeradius/sites-enabled/domain-ldap

+- entering group post-auth {...}

++? if (LDAP-Group == “teachers")

  [ldap] Entering ldap_groupcmp()

expand: dc=domain,dc=org -> dc=domain,dc=org

expand: (&(dc=domain,dc=org)(uid=%u)) -> (&(dc=domain,dc=org)(uid=42833582820))

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in dc=domain,dc=org, with filter (&(ou=teachers)(&(dc=domain,dc=org)(uid=42833582820)))

  [ldap] object not found

  [ldap] ldap_release_conn: Release Id: 0

rlm_ldap::ldap_groupcmp: Group teachers not found or user is not a member.

? Evaluating (LDAP-Group == “teachers") -> FALSE

++? if (LDAP-Group == “teachers") -> FALSE

} # server ldap


So.. I don’t have a group, I have different object classes for separate users, is there some way to collect these informations from brEduAffiliationType with rlm_ldap group options? Or I will have to create groups and add users to these groups and populate the memberUid object for (I know) it work..

Thanks

Atenciosamente,

Jean Carlos Coelho
Analista de Soluções

Teltec Solutions
 Fone: 48 3031.3450  | DDR: 467  |  Cel: 48 9179.6013

[http://suporte.teltecnetworks.com.br/images/Assinaturas/figura.jpg]<http://www.teltecsolutions.com.br/site2009/downloads/sign.html>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131213/1d8e2fd9/attachment.html>

More information about the Freeradius-Users mailing list