per instance Ldap-Group attribute does not work

Oleg Palij o.palij at dp.uz.gov.ua
Wed Aug 10 10:43:08 CEST 2016 

I'm switching from 2.2.5 to 3.0.12. Users are in Active Directory.
I found that per instance Ldap-Group attribute does not work.

I simplified working config to:
authorize {
    ldap
    if ((ok || updated) && User-Password) {
        update {
            control:Auth-Type := ldap
        }
    }
}
authenticate {
    Auth-Type LDAP {
        ldap
    }
}
post-auth {
    if !(LDAP-Group == 'vpdn') {
        update reply {
            Reply-Message += "no vpdn group"
        }
        reject
    }
    ...
}

With default ldap module name it searches in ldap and works as expected:
(2)   post-auth {
(2)     if !(LDAP-Group == 'vpdn') {
(2)     Searching for user in group "vpdn"
…
(2)     User found in group object "...."
(2)     if !(LDAP-Group == 'vpdn')  -> FALSE


But as soon as I change default ldap module to named (per instance) one:
mods-enabled/ldap: ldap { ... } -> ldap ldapdomain1 { ... }

and replace in config 'ldap' with 'ldapdomain1'
and 'LDAP-Group' with 'ldapdomain1-LDAP-Group'
it stop searching in ldap, stripped debug log:

  # Loading module "ldapdomain1" from file /etc/freeradius/mods-enabled/ldap
  ldap ldapdomain1 {
...
Creating attribute ldapdomain1-LDAP-Group
...
(0)   post-auth {
(0)     if !(ldapdomain1-LDAP-Group == 'vpdn') {
(0)     if !(ldapdomain1-LDAP-Group == 'vpdn')  -> TRUE
(0)     if !(ldapdomain1-LDAP-Group == 'vpdn')  {
(0)       update reply {
(0)         Reply-Message += "no vpdn group"
(0)       } # update reply = noop
(0)       [reject] = reject
(0)     } # if !(ldapdomain1-LDAP-Group == 'vpdn')  = reject
(0)   } # post-auth = reject

full debug log - https://gist.github.com/paleg/4041dfbfd2bfe997ce5b1e0345b2d232 <https://gist.github.com/paleg/4041dfbfd2bfe997ce5b1e0345b2d232>

I was able to obtain the same effect when intend made mistake in named ldap group name. But I double check that registered paircompare name is correct.
I tried different cases of lower/upper of ldap group name without success:
- ldapdomain1-LDAP-Group (as in sources)
- ldapdomain1-Ldap-Group (as in online docs)

Could you please explain what I am doing wrong?

More information about the Freeradius-Users mailing list