UserDN escape problem and Group membership checking in 3.0.3
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Nov 21 00:04:59 CET 2014
> On 20 Nov 2014, at 11:24, Winders, Timothy A <twinders at southplainscollege.edu> wrote:
>
> On 11/20/14, 9:48 AM, "Arran Cudbard-Bell" <a.cudbardb at freeradius.org>
> wrote:
>
>
>
>>
>>> On 20 Nov 2014, at 09:30, Winders, Timothy A
>>> <twinders at southplainscollege.edu> wrote:
>>>
>>> On 11/20/14, 8:11 AM, "Alan DeKok" <aland at deployingradius.com> wrote:
>>>
>>>
>>>> Winders, Timothy A wrote:
>>>>> Is there a specific place, URL, instruction, to make sure I download
>>>>> the
>>>>> correct code to compile?
>>>>
>>>> https://github.com/FreeRADIUS/freeradius-server/tree/v3.0.x
>>>>
>>>> And click on the "download zip" button on the right hand side.
>>>
>>> Downloaded and installedŠ
>>>
>>> The problem with membership_filter seems to be resolved. I still see
>>> the
>>> escaping happening, but, the user in group object is found.
>>
>>> (12) Waiting for search result...
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>> ber_get_next failed.
>>
>> Hmm, well i've never seen that before. Do you have additional ldap
>> debugging enabled?
>
> Nope. I'm just running "radiusd -X" and copying the (relevant) parts of
> the debug. This time it doesn't show up in the debug. It's (highly
> likely) that my configurations are less than optimal. 8-)
>
>>
>> You'll find that LDAP-Group == 'Students Security Group' will also work,
>> for both cases, if you set group.name_attribute.
>>
>
> Confirmed!
>
> (27) if (LDAP-Group == "Students Security Group") {
> (27) Searching for user in group "Students Security Group"
> rlm_ldap (ldap): 0 of 0 connections in use. You probably need to increase
> "spare"
> rlm_ldap (ldap): Opening additional connection (7)
> rlm_ldap (ldap): Connecting to ldap.southplainscollege.edu:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> rlm_ldap (ldap): Reserved connection (7)
> (27) Using user DN from request "CN=Winders\, Tim
> (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu"
> (27) Checking user object membership (memberOf) attributes
> (27) Performing unfiltered search in 'CN=Winders\, Tim
> (0552),OU=Students,OU=SPC,DC=southplainscollege,DC=edu', scope 'base'
> (27) Waiting for search result...
> (27) Processing group membership value "CN=Students Security
> Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu"
> (27) Converting group DN to group Name
> (27) Performing unfiltered search in 'CN=Students Security
> Group,OU=Standard Groups,OU=Groups,OU=SPC,DC=southplainscollege,DC=edu',
> scope 'base'
> (27) Waiting for search result...
> (27) Group name is "Students Security Group"
> (27) User found. Comparison between membership: name (resolved from DN),
> check: name
> rlm_ldap (ldap): Released connection (7)
Excellent.
I've pushed a fix for the escaping/normalisation issue as well.
If you do a group check for:
cn=group\2c bar,ou=example,ou=org
the code will convert it to
cn=group\, bar, ou=example,ou=org
and likewise if the directory returns:
cn=group\2c bar,ou=example,ou=org
it'll be converted to
cn=group\, bar, ou=example,ou=org
before comparison.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list