OpenLDAP Group membership to Filter-ID

Alex Gregory alex at c2company.com
Wed Aug 13 01:32:29 CEST 2014


Hello-

I would like to make it so that the users in:

ou=corp,ou=Users,dc=team,dc=company,dc=com

Get mapped a Filter-ID of corp and the users in:

ou=dev,ou=Users,dc=team,dc=company,dc=com

Get mapped a Filter-ID of dev.  I can then apply firewall rules to give them access to certain resources and not others.  This will also make it so that if they access the wrong network they should not have the proper access without the correct group membership.

In inner-tunnel I have:

authorize {
if ( Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=affirm,dc=com/  ) {
    update control {
    Tmp-String-1 := "corp"
        }
        }
if ( Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=affirm,dc=com/  ) {
    update control {
    Tmp-String-1 := "dev"
        }
        }

post-auth {
update reply {
        Filter-Id := "%{control:Tmp-String-1}”
}

I can see in the log that its not matching which means I am not matching correctly.  It ends up passing the Filter-ID which is blank.  So I know the post auth section is working correctly.  

Here is the relevant log info:

Tue Aug 12 22:50:47 2014 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
Tue Aug 12 22:50:47 2014 : Info: +- entering group authorize {...}
Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/  )
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] Entering ldap_groupcmp()
Tue Aug 12 22:50:47 2014 : Info: 	expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
Tue Aug 12 22:50:47 2014 : Info: 	expand: %{Stripped-User-Name} -> 
Tue Aug 12 22:50:47 2014 : Info: 	... expanding second conditional
Tue Aug 12 22:50:47 2014 : Info: 	expand: %{User-Name} -> joeuser
Tue Aug 12 22:50:47 2014 : Info: 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser)
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser)
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 12 22:50:47 2014 : Info: 	expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] performing search in ou=corp,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] object not found
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=corp,ou=Users,dc=team,dc=company,dc=com not found or user is not a member.
Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/) -> FALSE
Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=corp,ou=Users,dc=team,dc=company,dc=com/  ) -> FALSE
Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/  )
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] Entering ldap_groupcmp()
Tue Aug 12 22:50:47 2014 : Info: 	expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
Tue Aug 12 22:50:47 2014 : Info: 	expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] performing search in ou=dev,ou=Users,dc=team,dc=company,dc=com, with filter (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] object not found
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 12 22:50:47 2014 : Debug: rlm_ldap::ldap_groupcmp: Group ou=dev,ou=Users,dc=team,dc=company,dc=com not found or user is not a member.
Tue Aug 12 22:50:47 2014 : Info: ? Evaluating (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/) -> FALSE
Tue Aug 12 22:50:47 2014 : Info: ++? if (Ldap-Group =~ /ou=dev,ou=Users,dc=team,dc=company,dc=com/  ) -> FALSE
Tue Aug 12 22:50:47 2014 : Info: ++[chap] returns noop
Tue Aug 12 22:50:47 2014 : Info: ++[mschap] returns noop
Tue Aug 12 22:50:47 2014 : Info: [suffix] No '@' in User-Name = "joeuser", looking up realm NULL
Tue Aug 12 22:50:47 2014 : Info: [suffix] No such realm "NULL"
Tue Aug 12 22:50:47 2014 : Info: ++[suffix] returns noop
Tue Aug 12 22:50:47 2014 : Info: ++[control] returns noop
Tue Aug 12 22:50:47 2014 : Info: [eap] No EAP-Message, not doing EAP
Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns noop
Tue Aug 12 22:50:47 2014 : Info: ++[files] returns noop
Tue Aug 12 22:50:47 2014 : Info: [ldap] performing user authorization for joeuser
Tue Aug 12 22:50:47 2014 : Info: [ldap] 	expand: %{Stripped-User-Name} -> 
Tue Aug 12 22:50:47 2014 : Info: [ldap] 	... expanding second conditional
Tue Aug 12 22:50:47 2014 : Info: [ldap] 	expand: %{User-Name} -> joeuser
Tue Aug 12 22:50:47 2014 : Info: [ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser)
Tue Aug 12 22:50:47 2014 : Info: [ldap] 	expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company,dc=com
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Checking Id: 0
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_get_conn: Got Id: 0
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (uid=joeuser)
Tue Aug 12 22:50:47 2014 : Info: [ldap] No default NMAS login sequence
Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for check items in directory...
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] userPassword -> Password-With-Header == "{MD5}hashreplaced"
Tue Aug 12 22:50:47 2014 : Info: [ldap] looking for reply items in directory...
Tue Aug 12 22:50:47 2014 : Info: [ldap] user joeuser authorized to use remote access
Tue Aug 12 22:50:47 2014 : Debug:   [ldap] ldap_release_conn: Release Id: 0
Tue Aug 12 22:50:47 2014 : Info: ++[ldap] returns ok
Tue Aug 12 22:50:47 2014 : Info: ++[expiration] returns noop
Tue Aug 12 22:50:47 2014 : Info: ++[logintime] returns noop
Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns updated
Tue Aug 12 22:50:47 2014 : Info: Found Auth-Type = PAP
Tue Aug 12 22:50:47 2014 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
Tue Aug 12 22:50:47 2014 : Info: +- entering group PAP {...}
Tue Aug 12 22:50:47 2014 : Info: [pap] login attempt with password "password"
Tue Aug 12 22:50:47 2014 : Info: [pap] Using MD5 encryption.
Tue Aug 12 22:50:47 2014 : Info: [pap] Normalizing MD5-Password from base64 encoding
Tue Aug 12 22:50:47 2014 : Info: [pap] User authenticated successfully
Tue Aug 12 22:50:47 2014 : Info: ++[pap] returns ok
Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...}
Tue Aug 12 22:50:47 2014 : Info: 	expand: %{control:Tmp-String-1} -> 
Tue Aug 12 22:50:47 2014 : Info: ++[reply] returns noop
} # server inner-tunnel
Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled reply code 2
	Filter-Id = ""
Tue Aug 12 22:50:47 2014 : Info: [ttls] Got tunneled Access-Accept
Tue Aug 12 22:50:47 2014 : Info: [eap] Freeing handler
Tue Aug 12 22:50:47 2014 : Info: ++[eap] returns ok
Tue Aug 12 22:50:47 2014 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/default
Tue Aug 12 22:50:47 2014 : Info: +- entering group post-auth {...}
Tue Aug 12 22:50:47 2014 : Info: ++[exec] returns noop
Sending Access-Accept of id 16 to xxx.xxx.xxx.xxx port 32768
	Filter-Id = ""
	MS-MPPE-Recv-Key = 0x85725d86e7ab1448510e48ba9b900cd3cbf3d7436f36f9b391dab4d35b3d69b1
	MS-MPPE-Send-Key = 0x191e9e59df4f7108ac1542e48434330db030957911f7a3fb75ae40456057bf1f
	EAP-Message = 0x03050004
	Message-Authenticator = 0x00000000000000000000000000000000
	User-Name = "joeuser"
Tue Aug 12 22:50:47 2014 : Info: Finished request 9.

Thank you for the help.  I appreciate it.  BTW if this does’t make sense I can provide more details as to what I am trying to do.  I figured I would spare that unless needed. 

Thanks,

Alex



More information about the Freeradius-Users mailing list