Can't load LDAP groups 3.0.7

Dave Aldwinckle daldwinc at uwaterloo.ca
Mon May 25 19:53:00 CEST 2015 

I discovered the problem:

/etc/raddb/mods-enabled/ldap

                     #  Override the normal cache attribute
    (<inst>-LDAP-Group)
                     #  and create a custom attribute.  This can help if
    multiple
                     #  module instances are used in fail-over.

I was referring to ldap-LDAP-Group as suggested by the documentation. I 
removed the instance name and tried LDAP-Group and everything worked as 
expected.

Dave Aldwinckle

On 15-05-25 12:27 PM, Dave Aldwinckle wrote:
> Hi All,
>
> I am trying to reconfigure from version 2.1.12 to 3.0.7 and I am 
> having an issue checking LDAP groups in the post-auth section.
>
> I'm doing EAP-PEAP for authentication, and I want to check for group 
> membership in post-auth, and assign a VLAN. I've tried putting the 
> check in post-auth of "inner-tunnel" as well as post-auth of 
> "default". The result was the same. I'm expecting to see a comparison 
> of all the users groups with the one I have specified, but that does 
> not occur.
>
> I do see a successful search for the user:
>
> rlm_ldap (ldap): Reserved connection (4)
> (8) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
> (8) ldap:    --> (samaccountname=daldwinc)
> (8) ldap: Performing search in "x" with filter 
> "(samaccountname=user1)", scope "sub"
> (8) ldap: Waiting for search result...
> (8) ldap: User object found at DN "CN=David A (x),x"
> (8) ldap: Processing user attributes
> (8) ldap: WARNING: No "known good" password added. Ensure the admin 
> user has permission to read the password attribute
> (8) ldap: WARNING: PAP authentication will *NOT* work with Active 
> Directory (if that is what you were trying to configure)
> rlm_ldap (ldap): Released connection (4)
> (8)       [ldap] = ok
>
>
> 2.1.12 LDAP config:
>
> ldap x.ldap {
>         server = "x"
>         identity = "x"
>         port = 636
>         password = x
>         basedn = "dc=x"
>         filter = 
> "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
>         ldap_connections_number = 50
>         timeout = 20
>         timelimit = 20
>         net_timeout = 10
>         tls {
>                 start_tls = no
>         }
>         dictionary_mapping = ${confdir}/ldap.attrmap
>         password_attribute = userPassword
>         edir_account_policy_check = no
>         groupname_attribute = cn
>         groupmembership_filter = 
> "(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))"
>         groupmembership_attribute = memberof
>         set_auth_type = yes
> }
>
>
> 3.0.7 LDAP config:
>
> ldap {
>     server = 'x'
>     port = 389
>     identity = 'x'
>     password = x
>     base_dn = 'x'
>     update {
>         control:Password-With-Header    += 'userPassword'
>         control:            += 'radiusCheckAttributes'
>         reply:                += 'radiusReplyAttributes'
>     }
>     user {
>         base_dn = 'x'
>         filter = 
> "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
>     }
>     group {
>         base_dn = 'x'
>         filter = '(objectClass=posixGroup)'
>         membership_filter = 
> "(memberof=%{control:Ldap-UserDn})(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))"
>         membership_attribute = 'memberOf'
>     }
>     profile {
>     }
>     client {
>         base_dn = 'x'
>         filter = '(objectClass=radiusClient)'
>         attribute {
>             ipaddr                = 'radiusClientIdentifier'
>             secret                = 'radiusClientSecret'
>         }
>     }
>     options {
>         chase_referrals = yes
>         rebind = yes
>         timeout = 10
>         timelimit = 3
>         net_timeout = 1
>         idle = 60
>         probes = 3
>         interval = 3
>         ldap_debug = 0x0028
>     }
>     tls {
>         start_tls = yes
>         ca_file    = ${certdir}/ca.pem
>         ca_path    = ${certdir}
>         certificate_file = ${certdir}/x.ca-2015-12.crt
>         private_key_file = ${certdir}/x.ca.key
>     }
>     pool {
>         start = 5
>         min = 4
>         max = ${thread[pool].max_servers}
>         spare = 3
>         uses = 0
>         lifetime = 0
>         idle_timeout = 60
>         retry_delay = 1
>     }
> }
>
>
> /etc/raddb/sites-enabled/inner-tunnel:
>
> server inner-tunnel {
> listen {
>        ipaddr = 127.0.0.1
>        port = 18120
>        type = auth
> }
> authorize {
>     chap
>     mschap
>     suffix
>     update control {
>         &Proxy-To-Realm := LOCAL
>     }
>     eap {
>         ok = return
>     }
>     files
>     -sql
>     -ldap
>     expiration
>     logintime
>     pap
> }
> authenticate {
>     Auth-Type PAP {
>         pap
>     }
>     Auth-Type CHAP {
>         chap
>     }
>     Auth-Type MS-CHAP {
>         mschap
>     }
>     eap
> }
> session {
>     radutmp
> }
> post-auth {
>     -sql
>     ldap
>         if (ldap-LDAP-Group == group1 ) {
>                 update reply {
>                         Aruba-User-Vlan := 1020
>                 }
>         }
>     Post-Auth-Type REJECT {
>         -sql
>         attr_filter.access_reject
>         update outer.session-state {
>             Module-Failure-Message := &request:Module-Failure-Message
>         }
>     }
> }
> pre-proxy {
> }
> post-proxy {
>     eap
> }
>
>
> Debug excerpt (forgive me for not including the full output, its very 
> cumbersome to sanitize.)
>
> (8)   # Executing section post-auth from file 
> /etc/raddb/sites-enabled/inner-tunnel
> (8)     post-auth {
> (8)       [ldap] = noop
> (8)       if (ldap-LDAP-Group == group1 ) {
> (8)       if (ldap-LDAP-Group == group1 )  -> FALSE
> (8)     } # post-auth = noop
>
>
> Thanks in advance,
> Dave
>

More information about the Freeradius-Users mailing list