UserDN escape problem and Group membership checking in 3.0.3

Winders, Timothy A twinders at southplainscollege.edu
Thu Nov 20 15:30:10 CET 2014 

On 11/20/14, 8:11 AM, "Alan DeKok" <aland at deployingradius.com> wrote:


>Winders, Timothy A wrote:
>> Is there a specific place, URL, instruction, to make sure I download the
>> correct code to compile?
>
>https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x
>
>  And click on the "download zip" button on the right hand side.

Downloaded and installedŠ

The problem with membership_filter seems to be resolved.  I still see the
escaping happening, but, the user in group object is found.

(12)       if (LDAP-Group == "CN=Students Security Group,OU=Standard
Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu") {
(12)       Searching for user in group "CN=Students Security
Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu"
rlm_ldap (ldap): Reserved connection (2)
(12)       Using user DN from request "CN=Winders\, Tim
(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu"
(12)       Checking for user in group objects
(12)       EXPAND (&(objectClass=group)(member=%{control:Ldap-UserDn}))
(12)          --> (&(objectClass=group)(member=CN\3dWinders\5c\2c Tim
\280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu)
)
(12)       Performing search in 'CN=Students Security Group,OU=Standard
Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu' with filter
'(&(objectClass=group)(member=CN\3dWinders\5c\2c Tim
\280552\29\2cOU\3dStudents\2cOU\3dSPC\2cDC\3dsouthplainscollege\2cDC\3dedu)
)', scope 'sub'
(12)       Waiting for search result...
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
ber_get_next failed.
(12)       User found in group object
rlm_ldap (ldap): Released connection (2)
(12)       if (LDAP-Group == "CN=Students Security Group,OU=Standard
Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu")  -> TRUE





removing the membership_filter and adding the membership_attribute =
"memberOf" directive also continues to work:



(12)       Using user DN from request "CN=Winders\, Tim
(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu"
(12)       Checking user object membership (memberOf) attributes
(12)       Performing unfiltered search in 'CN=Winders\, Tim
(0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu', scope 'base'
(12)       Waiting for search result...
(12)       Processing group membership value "CN=Students Security
Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu"
(12)       User found. Comparison between membership: dn, check: dn
rlm_ldap (ldap): Released connection (2)
(12)       if (LDAP-Group == "CN=Students Security Group,OU=Standard
Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu")  -> TRUE


So, from my limited testing, this appears to be working correctly for both
configuration option.

Thank you!





-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5856 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141120/54d3e6ff/attachment-0001.bin>

More information about the Freeradius-Users mailing list