UserDN escape problem and Group membership checking in 3.0.3

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Nov 21 00:04:59 CET 2014


> On 20 Nov 2014, at 11:24, Winders, Timothy A <twinders at southplainscollege.edu> wrote:
> 
> On 11/20/14, 9:48 AM, "Arran Cudbard-Bell" <a.cudbardb at freeradius.org>
> wrote:
> 
> 
> 
>> 
>>> On 20 Nov 2014, at 09:30, Winders, Timothy A
>>> <twinders at southplainscollege.edu> wrote:
>>> 
>>> On 11/20/14, 8:11 AM, "Alan DeKok" <aland at deployingradius.com> wrote:
>>> 
>>> 
>>>> Winders, Timothy A wrote:
>>>>> Is there a specific place, URL, instruction, to make sure I download
>>>>> the
>>>>> correct code to compile?
>>>> 
>>>> https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x
>>>> 
>>>> And click on the "download zip" button on the right hand side.
>>> 
>>> Downloaded and installedŠ
>>> 
>>> The problem with membership_filter seems to be resolved.  I still see
>>> the
>>> escaping happening, but, the user in group object is found.
>> 
>>> (12)       Waiting for search result...
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>> 
>> Hmm, well i've never seen that before. Do you have additional ldap
>> debugging enabled?
> 
> Nope.  I'm just running "radiusd -X" and copying the (relevant) parts of
> the debug.  This time it doesn't show up in the debug.  It's (highly
> likely) that my configurations are less than optimal.  8-)
> 
>> 
>> You'll find that LDAP-Group == 'Students Security Group' will also work,
>> for both cases, if you set group.name_attribute.
>> 
> 
> Confirmed!
> 
> (27) if (LDAP-Group == "Students Security Group") {
> (27) Searching for user in group "Students Security Group"
> rlm_ldap (ldap): 0 of 0 connections in use. You probably need to increase
> "spare"
> rlm_ldap (ldap): Opening additional connection (7)
> rlm_ldap (ldap): Connecting to ldap.southplainscollege.edu:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (7)
> (27) Using user DN from request "CN=Winders\, Tim
> (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu"
> (27) Checking user object membership (memberOf) attributes
> (27) Performing unfiltered search in 'CN=Winders\, Tim
> (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu', scope 'base'
> (27) Waiting for search result...
> (27) Processing group membership value "CN=Students Security
> Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu"
> (27) Converting group DN to group Name
> (27) Performing unfiltered search in 'CN=Students Security
> Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu',
> scope 'base'
> (27) Waiting for search result...
> (27) Group name is "Students Security Group"
> (27) User found. Comparison between membership: name (resolved from DN),
> check: name
> rlm_ldap (ldap): Released connection (7)

Excellent.

I've pushed a fix for the escaping/normalisation issue as well.

If you do a group check for:

cn=group\2c bar,ou=example,ou=org

the code will convert it to

cn=group\, bar, ou=example,ou=org

and likewise if the directory returns:

cn=group\2c bar,ou=example,ou=org

it'll be converted to

cn=group\, bar, ou=example,ou=org

before comparison.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2



More information about the Freeradius-Users mailing list