dynamic expansion will not be dynamically expanded in ldap configuration

Ben Humpert ben at an3k.de
Fri Apr 24 08:31:00 CEST 2015


I have 3.0.7 running and also get the dynamic expansion..." WARNING
and my users file is empty but FR correctly checks for group
membership of the user trying to authenticate. I checked that by
reading the debug output (freeradius -XXX).

2015-04-23 14:29 GMT+02:00 Alan DeKok <aland at deployingradius.com>:
> On Apr 23, 2015, at 3:23 AM, Angel L. Mateo <amateo at um.es> wrote:
>>       Now I don't have the "dynamic expansion..." error, but ldap module is still not searching for groups.
>
>   The ldap module does group checks in certain circumstances... such as when you use LDAP-Group.  It does that in all of my tests.  If it's not working for you, it's probably because you're not actually using LDAP-Group.
>
>>       In my ldap I have my users and groups with a posix schema. Primary group of the user are in the gidNumber attribute of the user. This group has a posixGroup entry in the ldap. In this entry there are memberUid attributes for the users belonging to the group (but this is not its primary group).
>
>   That's all good.
>
>>       So, in my ldap module configuration I have:
> ...
>>       and in the site configuration:
>
>   I think I send a message to this list EVERY DAY saying "post the debug output.  don't post the config".
>
>   What, exactly, does it take for the message to get through?
>
>>       Then, in my users file I have something like:
>
>   Again, that's nice, but probably not enough.
>
>> DEFAULT       Realm == um.es, Ldap-Group == 1001, Auth-Type := Reject
>>       Reply-Message = "..."
>>       Fall-Through = No
>>
>> DEFAULT       Realm == um.es
>>        Fall-Through = No
>>
>>       but, radius never make any search to match the group of the users.
>>
>>       Any idea?
>
>   READ THE DEBUG OUTPUT.
>
>   I'll bet money that there's ANOTHER "users" file entry which is being matched, AND you don't have a Fall-Through for the first one.  So the DEFAULT you posted above never gets matched.
>
>   The process here isn't difficult.  READ THE DEBUG OUTPUT.  Check that the server is using the modules you expect it to use.  Check that the server is using the configuration you expect it to use.  Check that the server is matching "users" file entries you expect it to match.
>
>   This is computing 101.  It's not magic.  It's not random chance.  It's brain-dead, dumb, literal, exact, and consistent.  The main reason you haven't solved this already is that you haven't checked to see if the server is doing what you think it's doing.  You're looking at the inputs, and wondering why the outputs are wrong.  You SHOULD be looking at the process which turns the inputs into the outputs: the debug log.
>
>   It's like trying to figure out why your TV won't work, but you refuse to ever look at the screen.  And on the screen, there's a big message saying "FIRMWARE UPDATE REQUIRED".  You won't ever discover that message by looking at the inputs.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list