Google LDAP servers sometimes not returning group info
extern.clayton.knorr at 24g.com
extern.clayton.knorr at 24g.com
Wed Jul 8 18:58:20 CEST 2020
I have a freeradius server set up to use ldap.google.com as an ldap server,
and I'm using an if statement in post-auth to verify group membership.
It seems with certain accounts, and only most of the time, freeradius
reports "no group membership attribute(s) found in user object" Other users
never seem to have the issue. Has anybody seen this kind of flaky behavior
with google's ldap servers? I can't duplicate the issue using ldapsearch.
With that I get the memberof attributes every time even with the problem
accounts.
Also, I'm checking for membership of one of two groups and I noticed in
interactive mode that it is actually binding and looking up the user account
twice, once for each group membership check. Sometimes with the flaky
accounts it actually fails to see the memberof attribute once and succeeds
the other time. Is there a way to make this more efficient and just do one
bind? My if statement is formatted thus:
if (LDAP-Group == "group1") || (LDAP-Group == "group2") {
noop
}
else {
reject
}
Any insight would be appreciated.
More information about the Freeradius-Users
mailing list