LDAP groups and how to filter
uj2.hahn at posteo.de
uj2.hahn at posteo.de
Wed Feb 12 22:58:38 CET 2020
And you should enable cacheable_name or cacheable_dn (=yes) if not done
already!
Regards
Uwe
On 12.02.2020 22:54, Alan DeKok wrote:
> On Feb 12, 2020, at 3:21 PM, Daniel Oakes <daniel at 2600hz.com> wrote:
>> So your first query works, but returns A LOT:
>>
>> ldapsearch -D 'uid=admin,cn=users,cn=accounts,dc=server,dc=domain,dc=net' -w<password>' -h localhost -s sub '(objectclass=posixAccount)' -b 'uid=doakes,cn=users,cn=accounts,dc=server,dc=domain,dc=net'
> Which is asking for *all* of the user information. Not just groups.
>
>> ...
>> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=server,dc=domain,dc=net
>> memberOf: cn=employees,cn=groups,cn=accounts,dc=server,dc=domain,dc=net
>> memberOf: cn=ops_training_wheels,cn=groups,cn=accounts,dc=server,dc=domain,dc
>> =net
>> …
> Those are the groups.
>
>> Much output later.
>>
>> So that works – I’m struggling with how that translates to the group filter.
> In recent versions of the server, see mods-available/ldap. It shows a sample of the query to use when asking for groups:
>
> # Group membership can be queried by using the above "ldapsearch" string,
> # and adding "memberof" qualifiers. For ActiveDirectory, use:
> #
> # ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'
>
> That's for AD "samaccountname". But you can modify that for your LDAP server.
>
>
>> My mods-enabled/ldap has an identity and password configured in the ldap section.
>>
>> My base_dn is ‘cn=accounts,dc=server,dc=domain,dc=net’
> That's all good.
>
>> In the group section I change the filter to '(objectClass=posixAccount)' and uncommented scope = ‘sub’
>>
>> Currently the membership filter is the default of :
>>
>> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name
>> }:-%{User-Name}}))"
>>
>> How is that modified to handle that above query so I get the groups?
> It should pretty much just work. Follow the documentation in the most recent versions of the server.
>
> If you're running something from 5 years ago, well, the documentation has been updated.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list