Return User Groups in Class field
Christian Salway
christian.salway at naimuri.com
Wed Nov 14 17:10:18 CET 2018
Thanks Alan,
The problem with your suggestion is that the groups are ever changing so I would have to continually update freeradius. I have found a solution but I have a string formatting issue.
This is what I did:
1) Added a mapping in ldap mod.
# /etc/raddb/mods-enabled/ldap
ldap {
...
update {
...
reply:memberOf += 'memberOf'
}
...
}
2) Added an Attribute reference
# /etc/raddb/dictionary
ATTRIBUTE memberOf 3001 string
3) Added a update reply
# /etc/raddb/sites-enabled/default
post-auth {
...
foreach &reply:memberOf {
update reply {
Class += "%{Foreach-Variable-0}"
}
}
...
}
The log then looks like the following
rlm_ldap (ldap): Reserved connection (2)
(3) ldap: EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(3) ldap: --> (samaccountname=christian.salway)
(3) ldap: Performing search in "OU=Users,OU=directory,DC=directory,DC=local" with filter "(samaccountname=christian.salway)", scope "sub"
(3) ldap: Waiting for search result...
(3) ldap: User object found at DN "CN=christian.salway,OU=Users,OU=directory,DC=directory,DC=local"
(3) ldap: Processing user attributes
(3) ldap: reply:memberOf += 'CN=pod2-admin,OU=Groups,OU=directory,DC=directory,DC=local'
(3) ldap: reply:memberOf += 'CN=pod1-admin,OU=Groups,OU=directory,DC=directory,DC=local'
(3) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(3) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (2)
(3) Sent Access-Accept Id 244 from 10.0.0.247:1812 to 10.0.0.120:38051 length 0
(3) MS-MPPE-Encryption-Policy = Encryption-Allowed
(3) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(3) MS-MPPE-Send-Key = 0x40c90fe5410732aae0aaee2f5c7724e0
(3) MS-MPPE-Recv-Key = 0x45b11b48c7bb0713954e8d5791ef9929
(3) EAP-Message = 0x03030004
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) User-Name = "christian.salway"
(3) Class += 0x4f3d7374726f6e677377616e2f4f553d7265736561726368
(3) Class += 0x4f3d7374726f6e677377616e2f4f553d66696e616e636568
(3) Finished request
The problem I now have is that freeradius is sending `CN=pod2-admin,OU=Groups,OU=directory,DC=directory,DC=local` whereas strongSwan is expecting `CN=pod2-admin/OU=Groups/OU=directory/DC=directory/DC=local` and I dont know how to change it.
> On 14 Nov 2018, at 15:59, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Nov 14, 2018, at 8:26 AM, Christian Salway via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>
>> I use strongSwan to authenticate against FreeRadius which it does successfully but now I need FreeRadius to return the users groups in the Class field so strongSwan can check the User belongs to a group [1].
>>
>> I've managed to work out how to add extra fields to the response by putting an update reply in the file /etc/raddb/sites-available/default
>>
>> post-auth {
>> ...
>> update reply {
>> Class = "%{Ldap-Group}"
>
> The issue is that LDAP-Group isn't a real attribute. It's just used to *compare* things. e.g.
>
> if (LDAP-Group == "sales") {
>
> That *doesn't* grab all of the users groups and put them into the LDAP-Group attribute.
>
>> }
>> ...
>> }
>> Is that the place to put it??
>>
>> but as you can see below, the Class is null.
>
> And if you read the *rest* of the debug output, you would see it expanding the LDAP group, and returning an empty string. Or maybe even an *error* saying that the LDAP-Group attribute wasn't found.
>
> The solution is to just update Class directly:
>
> if (LDAP-Group == "sales") {
> update reply {
> Class := "sales"
> }
> }
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list