LDAP filter

Andrés Gómez andres.gomez.ruiz at gmail.com
Mon Sep 18 04:49:43 CEST 2017

Hi Arran, I'm using Freeradius 2.2.8, It's not easy to upgrade to 3.x, I
will try if definitly I cant solve it.

Alan, sorry, let me explain better.
This is an example of the user "pares" who is part of  the "userType:

ldapsearch -x -LLL -h platform.example.com.co -D
"cn=comroam,dc=example,dc=com,dc=co" -w BI3AixvSQt8hjjKc34CI
dn: uid=pares,ou=invitados,dc=example,dc=com,dc=co
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: qmailUser
cn: Pares
sn:: QWNhZMOpbWljb3M=
state:: U29saWNpdGFkbyBwb3IgVmljZXJyZWN0b3LDrWE=

*userType: managment*uid: pares

And this is an example of the user "utposgr" who is part of the "userType:

ldapsearch -x -LLL -h platform.example.com.co -D
"cn=comroam,dc=example,dc=com,dc=co" -w BI3AixvSQt8hjjKc34CI
dn: uid=utposgr,ou=invitados,dc=example,dc=com,dc=co
uid: utposgr
*userType: guest*
state: solicit
sn: CGR
cn: Invitado
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: qmailUser

As I said, I need to configure a Freeradius able to use a LDAP module and
filter to let autenticate only the user who has "userType: managment"
objetc in LDAP directory. So, I set the freeradius.ldap module like this:

ldap {

        server = "plataform.example.com.co"
        identity = "cn=roam,dc=example,dc=com,dc=co"
        password = 12345
        basedn = "dc=example,dc=com,dc=co"
        ldap_connections_number = 5

Results: I can authenticate Both users (pares and utposgr). Now I need to
apply the filter of the objetc, so I tried this;
ldap {

        server = "plataform.example.com.co"
        identity = "cn=roam,dc=example,dc=com,dc=co"
        password = 12345
        basedn = "dc=example,dc=com,dc=co"
        base_filter = "(*userType= managment*)"
        ldap_connections_number = 5

After reload, I still can authenticathe Both users (pares and utposgr), but
What I need is to only authenticate user "pares" because user "utposgr" has
a different LDAP object (*userType: guest*).

This is the debug output when I tried to authenticate the user utposgr
(supposed to be rejected):

Cleaning up request 2 ID 79 with timestamp +319
Ready to process requests.
rad_recv: Access-Request packet from host port 38585, id=15,
        User-Name = "utposgr"
        User-Password = "ut2014"
        NAS-IP-Address =
        NAS-Port = 1812
        Message-Authenticator = 0xbc046700e4bb678a5b8bd88f9d3c9e42
# Executing section authorize from file /etc/freeradius/sites-enabled/
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "utposgr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[ldap] performing user authorization for utposgr
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> utposgr
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
[ldap]  expand: dc=example,dc=com,dc=co -> dc=example,dc=com,dc=co
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=example,dc=com,dc=co, with filter
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group LDAP {
[ldap] login attempt by "utposgr" with password "ut2014"
[ldap] user DN: uid=utposgr,ou=invit,dc=example,dc=com,dc=co
  [ldap] (re)connect to plataform.example.com.co:389, authentication 1
  [ldap] bind as uid=utposgr,ou=invit,dc=example,dc=com,dc=co/ut2014 to
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] *user utposgr authenticated succesfully*
++[ldap] = ok
+} # group LDAP = ok
Login OK: [utposgr/ut2014] (from client localhost port 1812)
# Executing section post-auth from file /etc/freeradius/sites-enabled/
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 15 to port 38585
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 15 with timestamp +326
Ready to process requests.

I also tried
ldap {

        server = "plataform.example.com.co"
        identity = "cn=roam,dc=example,dc=com,dc=co"
        password = 12345
        basedn = "dc=example,dc=com,dc=co"
*        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"*
*        base_filter = "(userType= managment*)"
        ldap_connections_number = 5

But the same results, I dont know how to make the filter of the LDAP
object  "userType= managment" and the user who has the "userType= guest"
can authenticate.

Thanks in advance!!!

2017-09-17 7:22 GMT-05:00 Alan DeKok <aland at deployingradius.com>:

> On Sep 16, 2017, at 8:51 PM, Andrés Gómez <andres.gomez.ruiz at gmail.com>
> wrote:
> > I have tried many combinations but I cant' do it work.
>   See the FAQ for "it doesn't work".
> > Can you give me any advice about how can I configure the freeradius-ldap
> > module in order to do that filter?
>   You told us what you did.  You didn't tell us what happened.  You *can*
> post the debug log as suggested in the FAQ, "man" page, web pages, and all
> the time on this list.
>   Saying "it doesn't work" is entirely unhelpful.  And doesn't let us help
> you.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

*C. Andrés Gómez R.*
*Magister en Software Libre*

More information about the Freeradius-Users mailing list