ldap group membership check issue

Евгений Подберезкин epodber at gmail.com
Mon Oct 30 09:39:22 CET 2017


Thank you for your help.  "use_tunneled_reply" solved my problem.


2017-10-27 17:48 GMT+05:00 Alan DeKok <aland at deployingradius.com>:

> On Oct 27, 2017, at 7:49 AM, Евгений Подберезкин <epodber at gmail.com>
> wrote:
> >
> > Thanks for the reply. I 've already added the realms to proxy.conf , but
> > adding ntdomain module wasn`t obvious for me (suffix is enabled by
> default,
> > so I did not care of it).
>
>   Yes, that's not obvious.
>
> > I have one more question, could you give me hint.
> >
> > If check LDAP-Group in etc/raddb/users, it works.
> >
> > DEFAULT chtpzldap-LDAP-Group ==
> > "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru"
> >
> > DEFAULT Auth-Type := Reject
> >        Reply-Message = "Group do not match"
> >
> > But if I need to set an attribute in post-auth, it does not
> >
> > F.e. in sites-enabled/default or sites-enabled/inner-tunnel
>
>   That sets the attribute in the *inner-tunnel*.  You still need to get it
> to the outer, default server.
>
>   See raddb/mods-available/eap.  Look for "use_tunneled_reply".
>
> > post-auth {
> >
> >        if (chtpzldap-LDAP-Group ==
> > "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") {
> >                Tunnel-Private-Group-ID := "165"
> >        }
> >
> >
> > radiusd -X :
> >
> > (9) # Executing section post-auth from file
> > /opt/freeradius3/etc/raddb/sites-enabled/default
> > (9)   post-auth {
> > (9)     if (chtpzldap-LDAP-Group ==
> > "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru") {
> > (9)     *if (chtpzldap-LDAP-Group ==
> > "CN=WiFi_CHTPZ,OU=WiFi,OU=CHTPZ,DC=chtpz,DC=ru")  -> FALSE*
>
>   Which means it doesn't match.  Find out why, first.
>
>   See the comments at the top of the "inner-tunnel" virtual server for how
> to debug it.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list