Can't load LDAP groups 3.0.7
Dave Aldwinckle
daldwinc at uwaterloo.ca
Mon May 25 18:27:42 CEST 2015
Hi All,
I am trying to reconfigure from version 2.1.12 to 3.0.7 and I am having
an issue checking LDAP groups in the post-auth section.
I'm doing EAP-PEAP for authentication, and I want to check for group
membership in post-auth, and assign a VLAN. I've tried putting the check
in post-auth of "inner-tunnel" as well as post-auth of "default". The
result was the same. I'm expecting to see a comparison of all the users
groups with the one I have specified, but that does not occur.
I do see a successful search for the user:
rlm_ldap (ldap): Reserved connection (4)
(8) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(8) ldap: --> (samaccountname=daldwinc)
(8) ldap: Performing search in "x" with filter "(samaccountname=user1)",
scope "sub"
(8) ldap: Waiting for search result...
(8) ldap: User object found at DN "CN=David A (x),x"
(8) ldap: Processing user attributes
(8) ldap: WARNING: No "known good" password added. Ensure the admin user
has permission to read the password attribute
(8) ldap: WARNING: PAP authentication will *NOT* work with Active
Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (4)
(8) [ldap] = ok
2.1.12 LDAP config:
ldap x.ldap {
server = "x"
identity = "x"
port = 636
password = x
basedn = "dc=x"
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 50
timeout = 20
timelimit = 20
net_timeout = 10
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
password_attribute = userPassword
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter =
"(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))"
groupmembership_attribute = memberof
set_auth_type = yes
}
3.0.7 LDAP config:
ldap {
server = 'x'
port = 389
identity = 'x'
password = x
base_dn = 'x'
update {
control:Password-With-Header += 'userPassword'
control: += 'radiusCheckAttributes'
reply: += 'radiusReplyAttributes'
}
user {
base_dn = 'x'
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
}
group {
base_dn = 'x'
filter = '(objectClass=posixGroup)'
membership_filter =
"(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))"
membership_attribute = 'memberOf'
}
profile {
}
client {
base_dn = 'x'
filter = '(objectClass=radiusClient)'
attribute {
ipaddr = 'radiusClientIdentifier'
secret = 'radiusClientSecret'
}
}
options {
chase_referrals = yes
rebind = yes
timeout = 10
timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
start_tls = yes
ca_file = ${certdir}/ca.pem
ca_path = ${certdir}
certificate_file = ${certdir}/x.ca-2015-12.crt
private_key_file = ${certdir}/x.ca.key
}
pool {
start = 5
min = 4
max = ${thread[pool].max_servers}
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
retry_delay = 1
}
}
/etc/raddb/sites-enabled/inner-tunnel:
server inner-tunnel {
listen {
ipaddr = 127.0.0.1
port = 18120
type = auth
}
authorize {
chap
mschap
suffix
update control {
&Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
eap
}
session {
radutmp
}
post-auth {
-sql
ldap
if (ldap-LDAP-Group == group1 ) {
update reply {
Aruba-User-Vlan := 1020
}
}
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
update outer.session-state {
Module-Failure-Message := &request:Module-Failure-Message
}
}
}
pre-proxy {
}
post-proxy {
eap
}
Debug excerpt (forgive me for not including the full output, its very
cumbersome to sanitize.)
(8) # Executing section post-auth from file
/etc/raddb/sites-enabled/inner-tunnel
(8) post-auth {
(8) [ldap] = noop
(8) if (ldap-LDAP-Group == group1 ) {
(8) if (ldap-LDAP-Group == group1 ) -> FALSE
(8) } # post-auth = noop
Thanks in advance,
Dave
--
Dave Aldwinckle
More information about the Freeradius-Users
mailing list