rlm_ldap group search filter

Chris Taylor Chris.Taylor at corp.eastlink.ca
Wed Feb 27 17:49:18 CET 2013

I am have profiles setup for all our users but I am having some trouble with the setting the groupmembership_filter correctly. It will query LDAP successfully but only after it does a failed search first.

I have tried using numerous filters including the default one but I cant seem to separate the username by itself which is causing the initial search failure. I read through the rlm_ldap doc a few times but I didn't seem anything that I thought would help.

Here is the output from radius -X

This is the part where it uses the search filter and fails.

[files] users: Matched entry DEFAULT at line 214
  [domain1] Entering ldap_groupcmp()
[files]         expand: ou=radius,o=domain.on.ca,dc=placeholder,dc=ca -> ou=radius,o=domain.on.ca,dc=placeholder,dc=ca
[files]         expand: (&(objectClass=radiusProfile)(member=%{control:Ldap-UserDn})) -> (&(objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca))
  [domain1] ldap_get_conn: Checking Id: 0
  [domain1] ldap_get_conn: Got Id: 0
  [domain1] performing search in ou=radius,o=domain.on.ca,dc=placeholder,dc=ca, with filter (&(cn=residential_profile)(&(objectClass=radiusProfile)(member=uid\3d112boy\2cou\3dradius\2co\3ddomain.on.ca\2cdc\3dplaceholder\2cdc\3dca)))
  [domain1] object not found

It starts a second search and succeeds.

  [domain1] ldap_release_conn: Release Id: 0
  [domain1] ldap_get_conn: Checking Id: 0
  [domain1] ldap_get_conn: Got Id: 0
  [domain1] performing search in uid=112boy,ou=radius,o=domain.on.ca,dc=palceholder,dc=ca, with filter (objectclass=*)
rlm_ldap::ldap_groupcmp: User found in group residential_profile
  [domain1] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 222
++[files] returns ok

My users file looks like this.

ldap domain1 {
        server = " ldap01.placeholder.ca"
        identity = "username xxx"
        password = xxxx
        basedn = "ou=radius,o=domain.on.ca,dc=placeholder,dc=ca"
        filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))"
        groupname_attribute = cn
        groupmembership_attribute = radiusGroupName
       groupmembership_filter = "(&(objectClass=radiusProfile)(member=%{control:Ldap-UserDn}))"
       #do_xlat = yes
       #compare_check_items = yes
       #access_attr_used_for_allow = yes
       ldap_connections_number = 5

My users file

DEFAULT Service-Type == Framed-User, Huntgroup-Name == bras, domain1-Ldap-Group == residential_profile
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Cisco-AVPair += "ip:inacl#100=permit tcp any x.x.0.16 eq 25",
        Cisco-AVPair += "ip:inacl#200=deny tcp any any eq 25",
        Cisco-AVPair += "ip:inacl#300=permit ip any any",
        Fall-Through = No
Any help is apprecaited.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130227/912b7c84/attachment-0001.html>

More information about the Freeradius-Users mailing list