LDAP group checking stopping before the whole group list is checked
Ian Pilcher
arequipeno at gmail.com
Mon Jun 10 16:55:24 CEST 2019
On 6/10/19 7:20 AM, Adam Bishop wrote:
> I'm having an issue with ldap group checking where FreeRADIUS appears
> to bail out early if it encounters a group DN it can't resolve.
I ran into this exact issue.
> Can I get it to continue reading the list of groups if it fails to
> resolve one, or is this intended (or something I've screwed up in the
> config)?
Check the comments for group/membership_attribute in
mods-available/ldap:
# Unless a conversion between group name and group DN is
# needed, there's no requirement for the group objects
# referenced to actually exist.
I was able to prevent radiusd from trying to resolve the group by using
the group's complete DN in sites-available/default, rather than just the
group name.
So instead of:
if (LDAP-Group == "lab_admins") {
update reply {
Cisco-AVPair := "shell:priv-lvl=15"
}
}
I have:
if (LDAP-Group == "cn=lab_admins,cn=groups,cn=accounts,dc=...") {
update reply {
Cisco-AVPair := "shell:priv-lvl=15"
}
}
> (3) Debug: if (&LDAP-Group[*] == "%{client:ldap_group}") {
> (3) Debug: EXPAND %{client:ldap_group}
> (3) Debug: --> switching-admins
If you can get %{client:ldap_group} to expand to the group's full DN
(or even manually "munge" it) radiusd shouldn't try to resolve the
group.
HTH
--
========================================================================
Ian Pilcher arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
More information about the Freeradius-Users
mailing list