Group checking in LDAP module
uj2.hahn at posteo.de
uj2.hahn at posteo.de
Wed Jan 8 14:59:48 CET 2020
Hi, Alan!
Thanks a lot for your response.
I did found out the "+=" operator behavior already before. This is
pretty different from other
languages I know. Anyway I fixed it with same solution you wrote me.
For the second question (no output from group filter) I found the
reason. My base DN setting
was incorrect.
Now everything is working fine and I can proceed to next step. I'm
afraid then I will come up
with new basic questions......
Regards
Uwe
On 06.01.2020 18:02, Alan DeKok wrote:
> On Jan 5, 2020, at 12:21 PM, uj2.hahn at posteo.de wrote:
>> Hi, I have some (probably) basic questions how to deal with Group checks in LDAP module.
>>
>> I setup LDAP with OpenLDAP and authorization works fine. Now I want to extend functionality by some group related post-auth checks.
>> Each user is a member of a group. Some users are members of more than one group.
>>
>> freeradius -X shows me the following lines:
>>
>> (0) ldap: Group DN "cn=lehrer,ou=groups,dc=kms,dc=de" resolves to name "lehrer"
>> (0) ldap: Resolving group DN "cn=gast,ou=groups,dc=kms,dc=de" to group name
>> (0) ldap: Performing unfiltered search in "cn=gast,ou=groups,dc=kms,dc=de", scope "base"
>> (0) ldap: Waiting for search result...
>> (0) ldap: Group DN "cn=gast,ou=groups,dc=kms,dc=de" resolves to name "gast"
>> (0) ldap: Adding cacheable user object memberships
>> (0) ldap: &control:LDAP-Group += "lehrer"
>> (0) ldap: &control:LDAP-Group += "gast"
> Note: two "LDAP-Group" attributes.
>
>> This is all fine because the user belongs to two groups.
>> My assumption is, that control:LDAP-Group now contains both group names, e.g. "lehrer gast".
>> For debugging purposes I output the value as reply message in the post-auth section.
>> But logfile says:
>>
>> (0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
>> (0) post-auth {
>> (0) update reply {
>> (0) EXPAND %{control:LDAP-Group}
>> (0) --> lehrer
> Which is the first one. Because %{control:LDAP-Group} only gets the first one. See "man unlang".
>
>> (0) Reply-Message := lehrer
>>
>> Here the output is just the first group name, the other one is missing.
>> Why is that?
> If you want both, you should use %{control:LDAP-Group[*]}. Again, see "man unlang".
>
>> ------------------------------------------------------------------------------------------------------------------------------------
>> And there is a second question:
>>
>> LDAP module has a check filter in the group section :
>>
>> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>>
>> During run time this filter does not generate any output:
>>
>> (0) ldap: EXPAND (&(objectClass=groupOfNames)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
>> (0) ldap: --> (&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))
>> (0) ldap: Performing search in "ou=people,dc=kms,dc=de" with filter "(&(objectClass=groupOfNames)(|(member=uid3duhahn2cou3dpeople2cdc3dkms2cdc3dde)(memberUid=uhahn)))", scope "sub"
>> (0) ldap: Waiting for search result...
>> (0) ldap: Search returned no results
> That seems clear. The filter doesn't return any results.
>
>> (0) ldap: No cacheable group memberships found in group objects
>>
>> This is strange. When I run ldapsearch with same filter I do get results:
>>
>> ldapsearch -x -LLL -H ldap:/// -b dc=kms,dc=de -s sub "(&(objectClass=groupofnames)(|(member=uid=uhahn,ou=people,dc=kms,dc=de)(memberUid=jhahn)))"
> Does the RADIUS server have permission to read those attributes. See mods-available/ldap in recent releases. It has complete instructions for running ldapsearch.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list