UserDN escape problem and Group membership checking in 3.0.3

Winders, Timothy A twinders at southplainscollege.edu
Wed Nov 19 19:17:57 CET 2014 

I have FreeRadius 3.0.3 installed on Ubuntu 14.0.4 (free radius
3.0.3-ppa1~trustry package)

I have everything setup with Active Directory for user authentication.
This is working correctly, but I am having a problem with Active Directory
group membership checking. It appears the problem is with the way
FreeRadius escapes the UserDN when doing the query.  I have tried various
ldap configuration options, none of which quite work.

If I remove all the filter settings from the group checking and only use
the membership_attribute = "memberOf", I get the following Invalid DN
syntax error:

rlm_ldap (ldap): Bind successful
(11) User object found at DN "CN=Winders\, Tim
(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu"
(11) Checking user object membership (memberOf) attributes
(11) Waiting for bind result...
(11) Bind successful
(11) Performing unfiltered search in 'CN=Winders, Tim
(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu', scope 'base'
(11) Waiting for search result...
(11) ERROR: Failed performing search: Invalid DN syntax
(11) ERROR: Server said: 0000208F: NameErr: DSID-031001F7, problem 2006
(BAD_NAME), data 8350, best match of: 	'CN=Winders, Tim
(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu' .



Notice the first User object found has the correct DN, with the comma in
the CN= attribute escaped.  This is the way the DN is stored in Active
Directory.  However, when doing the unfiltered search, the comma is no
longer escaped resulting in the Invalid DN syntax.


If I remove the membership_attribute and do the member checking in the
group, I don¹t get the invalid DN (as the DN is no longer being searched),
but the UserDn attribute is escaped differently

rlm_ldap (ldap): Bind successful
(11) User object found at DN "CN=Winders\, Tim
(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu"
(11) Checking for user in group objects
(11) EXPAND (&(objectClass=group)(member=%{control:Ldap-UserDn}))
(11)    --> (&(objectClass=group)(member=CN\3dWinders\2c Tim
\280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu)
)
(11) Waiting for bind result...
(11) Bind successful
(11) Performing search in 'CN=Students Security Group,OU=Standard
Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu' with filter
'(&(objectClass=group)(member=CN\3dWinders\2c Tim
\280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu)
)', scope 'sub'
(11) Waiting for search result...
(11) Search returned no results
(11) Search returned not found



Again, notice the successful user object found with the correct DN, but
when doing the expansion of control:Ldap-UserDn the resulting DN is badly
mangled.

I found lots of information in the archives about UserDn escaping, but
nothing current and no helpful information on how to fix this.
Suggestions?

-- 
Tim Winders

Associate Dean of Information Technology
South Plains College
(806) 716-2369

More information about the Freeradius-Users mailing list