Google LDAP servers sometimes not returning group info
Jorge Pereira
jpereira at freeradius.org
Wed Jul 8 20:26:29 CEST 2020
Hi Clayton,
Please share the debug output https://wiki.freeradius.org/guide/radiusd-X <https://wiki.freeradius.org/guide/radiusd-X>
---
Jorge Pereira
jpereira at freeradius.org
> On 8 Jul 2020, at 13:58, extern.clayton.knorr--- via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I have a freeradius server set up to use ldap.google.com as an ldap server,
> and I'm using an if statement in post-auth to verify group membership.
>
>
>
> It seems with certain accounts, and only most of the time, freeradius
> reports "no group membership attribute(s) found in user object" Other users
> never seem to have the issue. Has anybody seen this kind of flaky behavior
> with google's ldap servers? I can't duplicate the issue using ldapsearch.
> With that I get the memberof attributes every time even with the problem
> accounts.
>
>
>
> Also, I'm checking for membership of one of two groups and I noticed in
> interactive mode that it is actually binding and looking up the user account
> twice, once for each group membership check. Sometimes with the flaky
> accounts it actually fails to see the memberof attribute once and succeeds
> the other time. Is there a way to make this more efficient and just do one
> bind? My if statement is formatted thus:
>
>
>
> if (LDAP-Group == "group1") || (LDAP-Group == "group2") {
>
> noop
>
> }
>
> else {
>
> reject
>
> }
>
>
>
> Any insight would be appreciated.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list