LDAP filter
Andrés Gómez
andres.gomez.ruiz at gmail.com
Mon Sep 18 04:49:43 CEST 2017
Hi Arran, I'm using Freeradius 2.2.8, It's not easy to upgrade to 3.x, I
will try if definitly I cant solve it.
Alan, sorry, let me explain better.
This is an example of the user "pares" who is part of the "userType:
managment":
ldapsearch -x -LLL -h platform.example.com.co -D
"cn=comroam,dc=example,dc=com,dc=co" -w BI3AixvSQt8hjjKc34CI
-b"uid=pares,ou=invit,dc=example,dc=com,dc=co"
dn: uid=pares,ou=invitados,dc=example,dc=com,dc=co
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: qmailUser
cn: Pares
sn:: QWNhZMOpbWljb3M=
state:: U29saWNpdGFkbyBwb3IgVmljZXJyZWN0b3LDrWE=
*userType: managment*uid: pares
And this is an example of the user "utposgr" who is part of the "userType:
guest"
ldapsearch -x -LLL -h platform.example.com.co -D
"cn=comroam,dc=example,dc=com,dc=co" -w BI3AixvSQt8hjjKc34CI
-b"uid=utposgr,ou=invit,dc=example,dc=com,dc=co"
dn: uid=utposgr,ou=invitados,dc=example,dc=com,dc=co
uid: utposgr
*userType: guest*
state: solicit
sn: CGR
cn: Invitado
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: qmailUser
As I said, I need to configure a Freeradius able to use a LDAP module and
filter to let autenticate only the user who has "userType: managment"
objetc in LDAP directory. So, I set the freeradius.ldap module like this:
ldap {
server = "plataform.example.com.co"
identity = "cn=roam,dc=example,dc=com,dc=co"
password = 12345
basedn = "dc=example,dc=com,dc=co"
ldap_connections_number = 5
...
}
Results: I can authenticate Both users (pares and utposgr). Now I need to
apply the filter of the objetc, so I tried this;
ldap {
server = "plataform.example.com.co"
identity = "cn=roam,dc=example,dc=com,dc=co"
password = 12345
basedn = "dc=example,dc=com,dc=co"
base_filter = "(*userType= managment*)"
ldap_connections_number = 5
...
}
After reload, I still can authenticathe Both users (pares and utposgr), but
What I need is to only authenticate user "pares" because user "utposgr" has
a different LDAP object (*userType: guest*).
This is the debug output when I tried to authenticate the user utposgr
(supposed to be rejected):
Cleaning up request 2 ID 79 with timestamp +319
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 38585, id=15,
length=81
User-Name = "utposgr"
User-Password = "ut2014"
NAS-IP-Address = 192.168.70.90
NAS-Port = 1812
Message-Authenticator = 0xbc046700e4bb678a5b8bd88f9d3c9e42
# Executing section authorize from file /etc/freeradius/sites-enabled/
default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "utposgr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[ldap] performing user authorization for utposgr
[ldap] expand: %{Stripped-User-Name} ->
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> utposgr
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
(uid=utposgr)
[ldap] expand: dc=example,dc=com,dc=co -> dc=example,dc=com,dc=co
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=example,dc=com,dc=co, with filter
(uid=utposgr)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] ldap_release_conn: Release Id: 0
++[ldap] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = LDAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group LDAP {
[ldap] login attempt by "utposgr" with password "ut2014"
[ldap] user DN: uid=utposgr,ou=invit,dc=example,dc=com,dc=co
[ldap] (re)connect to plataform.example.com.co:389, authentication 1
[ldap] bind as uid=utposgr,ou=invit,dc=example,dc=com,dc=co/ut2014 to
plataform.example.com.co:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] *user utposgr authenticated succesfully*
++[ldap] = ok
+} # group LDAP = ok
Login OK: [utposgr/ut2014] (from client localhost port 1812)
# Executing section post-auth from file /etc/freeradius/sites-enabled/
default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 15 to 127.0.0.1 port 38585
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 15 with timestamp +326
Ready to process requests.
I also tried
ldap {
server = "plataform.example.com.co"
identity = "cn=roam,dc=example,dc=com,dc=co"
password = 12345
basedn = "dc=example,dc=com,dc=co"
* filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"*
* base_filter = "(userType= managment*)"
ldap_connections_number = 5
...
}
But the same results, I dont know how to make the filter of the LDAP
object "userType= managment" and the user who has the "userType= guest"
can authenticate.
Thanks in advance!!!
2017-09-17 7:22 GMT-05:00 Alan DeKok <aland at deployingradius.com>:
> On Sep 16, 2017, at 8:51 PM, Andrés Gómez <andres.gomez.ruiz at gmail.com>
> wrote:
> > I have tried many combinations but I cant' do it work.
>
> See the FAQ for "it doesn't work".
>
> > Can you give me any advice about how can I configure the freeradius-ldap
> > module in order to do that filter?
>
> You told us what you did. You didn't tell us what happened. You *can*
> post the debug log as suggested in the FAQ, "man" page, web pages, and all
> the time on this list.
>
> Saying "it doesn't work" is entirely unhelpful. And doesn't let us help
> you.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
--
*C. Andrés Gómez R.*
*Magister en Software Libre*
More information about the Freeradius-Users
mailing list