LDAP Group Membership

Fri Apr 25 00:20:20 CEST 2014

Josh Essar wrote:
> I have having some problems with ldap group checking. Our students do
> not have a common group that they are a member of. They are all a member
> of a group based on their username (ST_Students for every student that
> has a username that start with st). We then have groups based off each
> letter of the alphabet (S_Students would contain the SA_Students through
> SZ_Students groups). We then have another group called students, that
> has the A_Students through Z_Students groups. 

  That is an... inventive approach.  I can honestly say I've never seen
that before.

> I know this is overly complex, but that is how our administrative
> computing department has set things up. I would like to use the student
> group to allow access to a wireless network. My current rule is as
> follows.
> 
> if ((Called-Station-SSID == "Test2) && (LDAP-Group == "students")) {
>       noop
> }
> 
> When the test user sexample5555 connects, they get denied because their
> account is a member of the SE_Students group. The SE_Students group is a
> member of the S_Students group, and that group is a member of the
> students group....but the user is not a direct member of the students
> group.
> 
> 
> Is there an easy solution that I am missing?

  Don't use ridiculously complicated group memberships.

> (0) Searching for user in group "students"
...
> rlm_ldap (ldap): Rebinding to URL
> ldaps://ForestDnsZones.our.domain/DC=ForestDnsZones,DC=our,DC=domain
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL
> ldaps://domainainDnsZones.our.domain/DC=DomainDnsZones,DC=our,DC=domain
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Rebinding to URL
> ldaps://our.domain/CN=Configuration,DC=our,DC=domain
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Bind successful

  The repeated rebinds mean that the information isn't in one LDAP
directory, it's scattered across many directories.  i.e. Active Directory.

  Your design is *slow*.  Doing multiple binds just to discover a user
is very problematic.

> (0) Performing unfiltered search in
> 'CN=GROUP5,OU=staff,OU=people,DC=our,DC=domain', scope 'base'
> (0) Waiting for search result...
> (0) Group name is "GROUP5"
> rlm_ (ldap): Deleting connection (4)
> (0) User is not a member of specified group

  <shrug>  That seems definitive.

  You LDAP design is way too complicated.  The multiple LDAP directories
and groups buried within groups makes it nearly impossible to create a
working RADIUS system.

  Maybe someone more familiar with LDAP magic can say more.  But my
$0.02 is to ensure that your database actually stores user data.  All of
it.  In a sane format.

  Even if you do fix the group membership issue, the repeated LDAP
searches will DESTROY performance.  You'll be lucky to get 10
authentications per second out of it.

  Alan DeKok.