Dynamic vlan with ldap group fail
Sautron Nick
sautronnick at yahoo.fr
Wed Apr 1 09:04:27 CEST 2015
Hi,
My freeradius version is : 2.1.12
User example : 31001635group example : student
attribute user : supannAliasLoginattribute group : eduPersonAffiliation
Complete DN for acces : uid=ind14128,ou=People,ou=company,ou=fr
Compared to my email Previous I add eduPersonAffiliation attribute to give it value as groups, directly applicable "ind"
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Users file :
DEFAULT Ldap-Group == "student"
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 72------------------------------------------------------------------------------------------------------------------------------------------------------------------------
modules/ldap file :
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "myserver"
identity = "cn=admin,ou=eduroam,dc=company,dc=fr"
password = passpass
basedn = "ou=People,dc=company,dc=fr"
filter = "(&(supannAliasLogin=%{%{Stripped-User-Name}:-%{User-Name}})(dialupAccess=true))"
base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
#
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
#
# seconds to wait for response of the server. (network
#
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
#
# This subsection configures the tls related items
# that control how FreeRADIUS connects to an LDAP
# server. It contains all of the "tls_*" configuration
# entries used in older versions of FreeRADIUS. Those
# configuration entries can still be used, but we recommend
# using these.
#
tls {
# Set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
#
# The StartTLS operation is supposed to be
# used with normal ldap connections instead of
# using ldaps (port 689) connections
start_tls = no
# cacertfile = /path/to/cacert.pem
# cacertdir = /path/to/ca/dir/
# certfile = /path/to/radius.crt
# keyfile = /path/to/radius.key
# randfile = /path/to/rnd
# Certificate Verification requirements. Can be:
# "never" (don't even bother trying)
# "allow" (try, but don't fail if the cerificate
# can't be verified)
# "demand" (fail if the certificate doesn't verify.)
#
# The default is "allow"
# require_cert = "demand"
}
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${confdir}/ldap.attrmap
# Set password_attribute = nspmPassword to get the
# user's password from a Novell eDirectory
# backend. This will work ONLY IF FreeRADIUS has been
# built with the --with-edir configure option.
#
# See also the following links:
#
# http://www.novell.com/coolsolutions/appnote/16745.html
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
#
# Novell may require TLS encrypted sessions before returning
# the user's password.
#
#password_attribute = userPassword
password_attribute = sambaNTPassword
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
edir_account_policy_check = no
#
# Group membership checking. Disabled by default.
#
groupname_attribute = "eduPersonAffiliation"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
#groupmembership_attribute = eduPersonAffiliation
#compare_check_items = yes
#do_xlat = yes
#access_attr_used_for_allow = yes
# The following two configuration items are for Active Directory
# compatibility. If you see the helpful "operations error"
# being returned to the LDAP module, uncomment the next
# two lines.
#
# chase_referrals = yes
# rebind = yes
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
#
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
# ldap_debug: debug flag for LDAP SDK
# (see OpenLDAP documentation). Set this to enable
# huge amounts of LDAP debugging on the screen.
# You should only use this if you are an LDAP expert.
#
# default: 0x0000 (no debugging messages)
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
#ldap_debug = 0x0028
#
# Keepalive configuration. This MAY NOT be supported by your
# LDAP library. If these configuration entries appear in the
# output of "radiusd -X", then they are supported. Otherwise,
# they are unsupported, and changing them will do nothing.
#
keepalive {
# LDAP_OPT_X_KEEPALIVE_IDLE
idle = 60
# LDAP_OPT_X_KEEPALIVE_PROBES
probes = 3
# LDAP_OPT_X_KEEPALIVE_INTERVAL
interval = 3
}
}
------------------------------------------------------------------------------------------------------------------------------------------------------------freeradius -x
try to connect
ldap part
[ldap] Entering ldap_groupcmp()
[files] expand: ou=People,dc=company,dc=fr -> ou=People,dc=company,dc=fr
[files] expand: %{Stripped-User-Name} ->
[files] ... expanding second conditional
[files] expand: %{User-Name} -> 31001635
[files] expand: (&(supannAliasLogin=%{%{Stripped-User-Name}:-%{User-Name}})(dialupAccess=true)) -> (&(supannAliasLogin=31001635)(dialupAccess=true))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=company,dc=fr, with filter (&(supannAliasLogin=31001635)(dialupAccess=true))
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=uid\3dind14128\2cou\3dPeople\2cdc\3dcompany\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dind14128\2cou\3dPeople\2cdc\3dcompany\2cdc\3dfr)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=company,dc=fr, with filter (&(eduPersonAffiliation=student)(|(&(objectClass=GroupOfNames)(member=uid\3dind14128\2cou\3dPeople\2cdc\3dcompany\2cdc\3dfr))(&(objectClass=GroupOfUniqueNames)(uniquemember=uid\3dind14128\2cou\3dPeople\2cdc\3dcompany\2cdc\3dfr))))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group student not found or user is not a member.
++[files] returns noop
[ldap] performing user authorization for 31001635
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> 31001635
[ldap] expand: (&(supannAliasLogin=%{%{Stripped-User-Name}:-%{User-Name}})(dialupAccess=true)) -> (&(supannAliasLogin=31001635)(dialupAccess=true))
[ldap] expand: ou=People,dc=company,dc=fr -> ou=People,dc=company,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=company,dc=fr, with filter (&(supannAliasLogin=31001635)(dialupAccess=true))
[ldap] checking if remote access for 31001635 is allowed by dialupAccess
[ldap] Added User-Password = 409471AD0F83EDA48CD4749E7369806C in check items
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password == 0x3516516165161611511651156111654154165564
[ldap] sambaLmPassword -> LM-Password == 0x51151151545646515615151561515155611
[ldap] looking for reply items in directory...
[ldap] user 31001635 authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
What happens is that I get to connect (with the first filter on the attribute supannAliasLogin and dialupAcces) in the default VLAN of the switch but not with the ldap groups.
Can anyone help me solve this problem please ?
Best Regards
Le Mercredi 25 mars 2015 16h43, Ben Humpert <ben at an3k.de> a écrit :
2015-03-24 13:22 GMT+01:00 Sautron Nick <sautronnick at yahoo.fr>:
> # Group membership checking. Disabled by default.
> #
> groupname_attribute = cn
> groupmembership_filter = "(&(Login=%{%{Stripped-User-Name}:-%{User-Name}})(isMemberOf=ou=groups,ou=eduroam,dc=company,dc=fr))"
That filter is broken. What is actually sent to LDAP is
(&(Login=Marco)(isMemberOf=ou=groups,ou=eduroam,dc=company,dc=fr)) and
for sure it can't find anything because of the isMemberOf=. LDAP tries
to find "isMemberOf=ou" and then has an invalid "=groups" setting.
What version of FreeRADIUS are you using and can you post an example
of one LDAP User entry and one Group entry? Each with its complete DN.
If you want/have to hide data please don't use **** but replacement
words.
More information about the Freeradius-Users
mailing list