LDAP group - samaccountname
Olivier Mahieu
o_mahieu at hotmail.com
Tue Feb 4 21:27:05 CET 2020
Its active directory Administrator account. No backslashes.
Doing radtest mschap returns correct vlan.
Verzonden vanaf mijn Samsung Galaxy-smartphone.
-------- Oorspronkelijk bericht --------
Van: Alan DeKok <aland at deployingradius.com>
Datum: 4/02/20 21:21 (GMT+01:00)
Aan: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Onderwerp: Re: LDAP group - samaccountname
> On Feb 4, 2020, at 2:42 PM, Olivier Mahieu <o_mahieu at hotmail.com> wrote:
>
> Hello,
>
> Using the LDAP module in post-auth section (PEAP-MSCHAPv2); the correct user group is not found for VLAN assignment.
> I think it has to do with the samaccountname. 5c5cAdministrator instead of Administrator.
(9) Received Access-Request Id 111 from 192.168.56.3:1645 to 192.168.56.20:1812 length 261
(9) User-Name = "AD-OM\\Administrator"
That's generally not a good idea. i.e. account names with backslashes. etc.
(9) EXPAND (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
(9) --> (samaccountname=AD-OM\5c5cAdministrator)
(9) Performing search in "dc=MAH,dc=TEST" with filter "(samaccountname=AD-OM\5c5cAdministrator)", scope "sub"
FreeRADIUS escapes the backslashes for security reasons. Otherwise the users could add magic characters, change the ldap query, and do bad things.
What is the account name in LDAP? Does it have the backslashes in it?
Alan DeKok.
-
List info/subscribe/unsubscribe? See https://eur04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=02%7C01%7C%7C4c7bfa280f8d43a067d808d7a9afdbb5%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637164445071414620&sdata=WKscEKZKjE3nEq%2BwD5ukBpMQ6nugRLwmRLVU75nS3Hc%3D&reserved=0
More information about the Freeradius-Users
mailing list