dynamic expansion will not be dynamically expanded in ldap configuration

Angel L. Mateo amateo at um.es
Fri Apr 24 08:27:53 CEST 2015


	I'm sorry for not posting debug output, just the config, but when I 
asked in this list was because I made a lot of tests and checks before.

	I have configure a clean environment (site) for testing. This is my 
complete users file in this test environment (attached is the debug output):

DEFAULT Ldap-Group == 1001, Auth-Type := Reject
         Reply-Message = "You are not authorized",
         Fall-Through = No

DEFAULT
         Fall-Through = No

	The entry matched is the second, but an ldap search for the group is 
never done (I have checked it in my ldap's logs)

El 23/04/15 a las 14:29, Alan DeKok escribió:
> On Apr 23, 2015, at 3:23 AM, Angel L. Mateo <amateo at um.es> wrote:
>> 	Now I don't have the "dynamic expansion..." error, but ldap module is still not searching for groups.
>
>    The ldap module does group checks in certain circumstances... such as when you use LDAP-Group.  It does that in all of my tests.  If it's not working for you, it's probably because you're not actually using LDAP-Group.
>
>> 	In my ldap I have my users and groups with a posix schema. Primary group of the user are in the gidNumber attribute of the user. This group has a posixGroup entry in the ldap. In this entry there are memberUid attributes for the users belonging to the group (but this is not its primary group).
>
>    That's all good.
>
>> 	So, in my ldap module configuration I have:
> ...
>> 	and in the site configuration:
>
>    I think I send a message to this list EVERY DAY saying "post the debug output.  don't post the config".
>
>    What, exactly, does it take for the message to get through?
>
>> 	Then, in my users file I have something like:
>
>    Again, that's nice, but probably not enough.
>
>> DEFAULT	Realm == um.es, Ldap-Group == 1001, Auth-Type := Reject
>> 	Reply-Message = "..."
>> 	Fall-Through = No
>>
>> DEFAULT	Realm == um.es
>>         Fall-Through = No
>>
>> 	but, radius never make any search to match the group of the users.
>>
>> 	Any idea?
>
>    READ THE DEBUG OUTPUT.
>
>    I'll bet money that there's ANOTHER "users" file entry which is being matched, AND you don't have a Fall-Through for the first one.  So the DEFAULT you posted above never gets matched.
>
>    The process here isn't difficult.  READ THE DEBUG OUTPUT.  Check that the server is using the modules you expect it to use.  Check that the server is using the configuration you expect it to use.  Check that the server is matching "users" file entries you expect it to match.
>
>    This is computing 101.  It's not magic.  It's not random chance.  It's brain-dead, dumb, literal, exact, and consistent.  The main reason you haven't solved this already is that you haven't checked to see if the server is doing what you think it's doing.  You're looking at the inputs, and wondering why the outputs are wrong.  You SHOULD be looking at the process which turns the inputs into the outputs: the debug log.
>
>    It's like trying to figure out why your TV won't work, but you refuse to ever look at the screen.  And on the screen, there's a big message saying "FIRMWARE UPDATE REQUIRED".  You won't ever discover that message by looking at the inputs.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337


More information about the Freeradius-Users mailing list