Having issues interpreting ldap search/filter attributes

Mon Aug 10 14:20:08 CEST 2020

On Aug 10, 2020, at 4:07 AM, Steve Phillips <steve at focb.co.nz> wrote:
> Freeradius version: 3.0.13 (installed via rpm on  rhel 7)

  Updated RPMs are available at http://packages.networkradius.com

> I have a reasonably simple (to my mind) setup that for some reason doesn’t seem to exist on the internet after much fruitless searching.
> 
> In essence, I am performing PAP auth to free radius which then binds as the user to AD via LDAP and performs an authentication

  That's pretty common.

> It then is supposed to return the groups the user is a member of and then I use the “files” directive to match a group and return a reply attribute

  LDAP doesn't return the groups.  You use "LDAP-Group = ..." to *match* a group.  There's a difference.

> I’m now busy pulling my hair out trying to work out how to debug what’s going on in the background, as I am having amazingly bad luck trying to work out how the group filter works (and yes, I did read the ldap module comments and couldn’t work anything out from this, or the rlm_ldap wiki)

  The module now has some updated comments.  It describes how to convert the ldap module configuration into ldapsearch parameters:

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/ldap

> Running radiusd -X gives some information that it is attempting to check groups but claims the user is not a group member

  Likely because the user is a member of a nested group.  There's special LDAP magic to get AD to search nested groups.  See the above link.

> With some of these just hoping to get _anything_ to return (#groupmembership_filter = "(sAMAccountName=%{User-Name})")

  It doesn't "return" the list of groups.

> About the only thing I’ve had success in plugging into ldapsearch was the “(sAMAccountName=<my username>)” hence the attempt at doing that because it DID actually return “memberOf” attributes.
> 
> I guess what I’m trying to do, is work out what I am supposed to plug into ldap search as every time I try it returns nothing.

  See the above link.

> Is there a way to tell freeradius to print out what it thinks the various variables are? Like, %{Ldap-UserDN} I can see from the “sites-enabled” file as I can see it being set with..

  Yes, just expand them, and the debug output will print their values;

	update control {
		Tmp-String-0 := "%{control:LDAP-UserDN}"
	}

> Is there an easy to follow guide for ldapsearch that describes that the (|(&(<attribute>=<value>)(<attribute>=<value>))) bits even mean? (primarily the (|(&( bit, as I can do a single <attribute>=<value> Search and get that to work)

  See the lapsearch documentation for documentation on how ldapsearch works.

  Alan DeKok.