Freeradius + Ldap - Authorise OK but NO dynamic VLANs

Matthew Newton mcn4 at leicester.ac.uk
Tue Aug 23 13:00:01 CEST 2016 

On Mon, Aug 22, 2016 at 05:59:34PM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
> in the output:

Hmm, I missed this bit of debug output.

> Mon Aug 22 17:43:18 2016 : Debug: rlm_ldap (ldap): Reserved connection (2)
> Mon Aug 22 17:43:18 2016 : Debug: (0)     Using user DN from request
> "cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local"
> Mon Aug 22 17:43:18 2016 : Debug: (0)     Checking user object's memberOf
> attributes
> Mon Aug 22 17:43:18 2016 : Debug: (0)       Performing unfiltered search in
> "cn=ttester,cn=SeminaryAdmin,ou=SeminaryOU,dc=seminary,dc=local", scope
> "base"
> Mon Aug 22 17:43:18 2016 : Debug: (0)       Waiting for search result...

> Mon Aug 22 17:43:18 2016 : Debug: (0)     No group membership attribute(s)
> found in user object

That line looks ominous.

Previous ldapsearch outputs (even when bound as the admin user)
don't show the memberOf attribute.

So check that your LDAP server is actually including memberOf in
the search results.

You can search for group membership two ways.

 - configure "membership_attribute", in which case FR will search
   for the user, and then look at the specified attribute
   (memberOf by default) to see if the required group is there; or

 - configure "membership_filter", which means FR will search using
   that filter, then check through the list of all groups returned
   to see if the user is in any of them.

You can also do both, in which case one happens first, and if that
fails it checks the other method. I forget which way around this
happens (probably attribute first).

IIRC membership_attribute can have problems when you have very
large groups, but the searching is done on FR so is less load on
the LDAP server. membership_filter puts the load on the LDAP
server (to search the groups and create the dynamic memberOf
attribute), but easier for FR... but some servers restrict
searching of attributes like memberOf.

Try something simple like

        base_dn = "dc=seminary,dc=local"

        group {
                base_dn = "${..base_dn}"
                filter = '(objectClass=group)'
                name_attribute = cn
                scope = 'sub'

                # look in group for user account (not using this):
                membership_filter = '(member=%{control:Ldap-UserDn})'

                # look in use account for group:
                # membership_attribute = 'memberOf'
        }

if that works then put more restrictions in to get the filter you need.

Have you done an ldapsearch to pull the group back, rather than the user? -
actually make sure the user *is* a member (according to the view that the FR
LDAP bind user has).

Also - I've not used openldap before. Try searching the web for
"openldap memberof". It looks like you need to manually enable the
memberOf attribute in the LDAP server. This may be your problem.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>

More information about the Freeradius-Users mailing list