FreeRadius LDAP group verification not working for me

Condor condor_bulto at yahoo.com
Fri Dec 13 14:57:44 CET 2019


Hi all, i'm really brand new on freeradius. i'm using freeradius 3.0.4 with ldap, ldap autethication work for me fine with "o=organitation" but not with group = cn, maybe the ldap configuration is not the standart
I'm following these thread: lists.freeradius.org/pipermail/freeradius-users/2016-December/085971.html
For me:
in /mods-available/ldap
ldap { server = "x.x.x.x"
 base_dn = "o=organization,cn=telecom"}

user { base_dn = "o=organization,cn=telecom" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"}
group {  base_dn = "o=organization,cn=telecom"                filter = '(cn=telecom)'
        name_attribute = cn
                membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
                membership_attribute = 'memberUid'
        }
on radius -X :
Received Access-Request Id 125 from y.y.y.y:42420 to x.x.x.x:1812 length 78 User-Name = 'usertest' User-Password = '*****' NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x075a82e674d1e57b22856618bd3adc87(2) Received Access-Request packet from host y.y.y.y port 42420, id=125, length=78(2)  User-Name = 'usertest'(2)  User-Password = '*****'(2)  NAS-IP-Address = 127.0.1.1(2)  NAS-Port = 0(2)  Message-Authenticator = 0x075a82e674d1e57b22856618bd3adc87(2) # Executing section authorize from file /etc/raddb/sites-enabled/default(2)   authorize {(2)  eap : No EAP-Message, not doing EAP(2)   [eap] = nooprlm_ldap (ldap): Reserved connection (4)(2)  ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})(2)  ldap :    --> (uid=usertest)(2)  ldap : EXPAND o=organitation,cn=telecom(2)  ldap :    --> o=organitation,cn=telecom(2)  ldap : Performing search in 'o=organitation,cn=telecom' with filter '(uid=usertest)', scope 'sub'(2)  ldap : Waiting for search result...(2)  ERROR: ldap : Failed performing search: The specified DN wasn't found, check base_dn and identityrlm_ldap (ldap): Released connection (4)(2)   [ldap] = fail(2)  } #  authorize = fail(2) Invalid user (ldap: Failed performing search: The specified DN wasn't found, check base_dn and identity): [usertest/******] (from client Renaju port 0)(2) Using Post-Auth-Type Reject(2) # Executing group from file /etc/raddb/sites-enabled/default(2)  Post-Auth-Type REJECT {(2)  attr_filter.access_reject : EXPAND %{User-Name}(2)  attr_filter.access_reject :    --> usertest(2)  attr_filter.access_reject : Matched entry DEFAULT at line 11(2)   [attr_filter.access_reject] = updated(2)  } # Post-Auth-Type REJECT = updated(2) Delaying response for 1 seconds
-------
# in the "default" server
authorize {
...
       eap {                 ok = return                 updated = return         }
         ldap
         group_authorization

# In the "inner-tunnel" server:
authorize {
...
         eap {                 ok = return         }
         ldap
         group_authorization
I create "policy.d/group_authorization" the file not exist
# in policy.d/group_authorization:
group_authorization {   if (&Huntgroup-Name == "telecom") {     if (&LDAP-Group[*] == "o=organization,cn=telecom") {       ok     }     else {       update reply {         &Reply-Message := "Not authorized for telecom"       }       reject     }   }   elsif (&Huntgroup-Name == "telecom") {     reject   }}
Thanks!


More information about the Freeradius-Users mailing list