Ldap query in FR3

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at sath.nhs.uk
Tue Jul 23 18:19:52 CEST 2013


This will probably be obvious, but I can't see it!
I'm using several instances of ldap to do some load balancing so I've
got ldap1, ldap2, ldap3 etc.
I know in 3 that we need to reference the instance explicitly in the
users files for groups, e.g.
DEFAULT  ldap1-ldap-group == "group name"
But unlike 2, I can't actually make this fail. It always comes back with
"user found". I've tried to trim the config right down but it's still
failing to report that the user is missing..
Instantiation / config for ldap :

  # Instantiating module "ldap1" from file
/usr/local/etc/raddb/mods-enabled/ldap
ldap ldap1 {
        server = "10.128.176.40"
        port = 389
        password = ***
        identity =
"cn=LDAPQuery,OU=SpecialUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk"
   user {
        filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{mschap:User-Name}})"
        scope = "sub"
        base_dn = "DC=SATH,DC=nhs,DC=uk"
        access_positive = yes
   }
   group {
        filter = "(objectClass=Group)"
        scope = "sub"
        base_dn = "DC=SATH,DC=nhs,DC=uk"
        name_attribute = "cn"
        membership_filter = "(member=%{control:Ldap-UserDn})"
        cacheable_name = no
        cacheable_dn = no
   }

In the users files I have

DEFAULT ldap1-Ldap-Group == "I made this group up"


In operation, everything seems to expand ok:
..
(1) files : Searching for user in group "I made this group up"
rlm_ldap (ldap1): Reserved connection (4)
(1) files : Using user DN from request "CN=Franks Andy (RLZ) IT Systems
Engineer,OU=RSHUsers,OU=SATHUsers,DC=SATH,DC=nhs,DC=uk"
(1) files : Checking for user in group objects
(1) files :     expand: "(&(cn=I made this group
up)(objectClass=Group)(member=%{control:Ldap-UserDn}))" -> '(&(cn=I made
this group up)(objectClass=Group)(member=CN\3dFranks Andy \28RLZ\29 IT
Systems Engineer\2cOU\3dRSHUsers\2cOU\3dSAT$
(1) files :     expand: "DC=SATH,DC=nhs,DC=uk" -> 'DC=SATH,DC=nhs,DC=uk'
(1) files : Performing search in 'DC=SATH,DC=nhs,DC=uk' with filter
'(&(cn=I made this group up)(objectClass=Group)(member=CN\3dFranks Andy
\28RLZ\29 IT Systems
Engineer\2cOU\3dRSHUsers\2cOU\3dSATHUsers\2cDC\3dSATH\2cDC\3dnhs\2cDC\3d
uk)$
(1) files : Waiting for search result...
(1) files : User found in group object
..

..but the user is always found.

All user based operations work fine. Not found is returned if the user
isn't in ldap etc.
I'm stumped. I've tried various filter combinations etc, but the group
doesn't even exist, and even if I reference a group that does exist
which doesn't contain the user, it returns found... Version 2 didn't
seem to have the same behaviour.

Thanks
Andy


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130723/0371d3db/attachment.html>


More information about the Freeradius-Users mailing list