ldap group membership check issue

Fri Oct 27 14:48:03 CEST 2017

On Oct 27, 2017, at 7:49 AM, Евгений Подберезкин <epodber at gmail.com> wrote:
> 
> Thanks for the reply. I 've already added the realms to proxy.conf , but
> adding ntdomain module wasn`t obvious for me (suffix is enabled by default,
> so I did not care of it).

  Yes, that's not obvious.

> I have one more question, could you give me hint.
> 
> If check LDAP-Group in etc/raddb/users, it works.
> 
> DEFAULT chtpzldap-LDAP-Group ==
> "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru"
> 
> DEFAULT Auth-Type := Reject
>        Reply-Message = "Group do not match"
> 
> But if I need to set an attribute in post-auth, it does not
> 
> F.e. in sites-enabled/default or sites-enabled/inner-tunnel

  That sets the attribute in the *inner-tunnel*.  You still need to get it to the outer, default server.

  See raddb/mods-available/eap.  Look for "use_tunneled_reply".

> post-auth {
> 
>        if (chtpzldap-LDAP-Group ==
> "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") {
>                Tunnel-Private-Group-ID := "165"
>        }
> 
> 
> radiusd -X :
> 
> (9) # Executing section post-auth from file
> /opt/freeradius3/etc/raddb/sites-enabled/default
> (9)   post-auth {
> (9)     if (chtpzldap-LDAP-Group ==
> "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") {
> (9)     *if (chtpzldap-LDAP-Group ==
> "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru")  -> FALSE*

  Which means it doesn't match.  Find out why, first.

  See the comments at the top of the "inner-tunnel" virtual server for how to debug it.

  Alan DeKok.