Google LDAP servers sometimes not returning group info

Jorge Pereira jpereira at freeradius.org
Wed Jul 8 20:26:29 CEST 2020


Hi Clayton,

Please share the debug output https://wiki.freeradius.org/guide/radiusd-X <https://wiki.freeradius.org/guide/radiusd-X>

---
Jorge Pereira
jpereira at freeradius.org




> On 8 Jul 2020, at 13:58, extern.clayton.knorr--- via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I have a freeradius server set up to use ldap.google.com as an ldap server,
> and I'm using an if statement in post-auth to verify group membership.
> 
> 
> 
> It seems with certain accounts, and only most of the time, freeradius
> reports "no group membership attribute(s) found in user object" Other users
> never seem to have the issue. Has anybody seen this kind of flaky behavior
> with google's ldap servers? I can't duplicate the issue using ldapsearch.
> With that I get the memberof attributes every time even with the problem
> accounts.
> 
> 
> 
> Also, I'm checking for membership of one of two groups and I noticed in
> interactive mode that it is actually binding and looking up the user account
> twice, once for each group membership check. Sometimes with the flaky
> accounts it actually fails to see the memberof attribute once and succeeds
> the other time. Is there a way to make this more efficient and just do one
> bind? My if statement is formatted thus:
> 
> 
> 
>        if (LDAP-Group == "group1") || (LDAP-Group == "group2") {
> 
>                noop
> 
>        }
> 
>        else {
> 
>                reject
> 
>        }
> 
> 
> 
> Any insight would be appreciated.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list