Problem with limiting users to group in Active Directory
Erik Frangež
erik at frangez.net
Sun Nov 28 18:32:12 CET 2021
Hi guys,
I am having problems with configuring Radius authentication limiting
users to group in Active directory.
Here is configuration of LDAP:
ldap ldap1 {
server = "Server"
port = 389
identity = DOMAIN\user
password = "password"
basedn = "ou=OU,dc=domain,dc=dc,dc=dc"
filter = "(sAMAccountName=%{User-Name})"
groupmembership_filter = "(member=%{control:Ldap-UserDn})"
groupmembership_attribute = "memberOf"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
user {
filter = "(sAMAccountName=%{User-Name})"
scope = "sub"
base_dn = "ou=OU,dc=domain,dc=dc,dc=dc"
access_positive = yes
rebind = yes
chase_referrals=yes
}
group {
base_dn = "ou=OU,dc=domain,dc=dc,dc=dc"
filter = "(sAMAccountName=%{User-Name})"
scope = 'sub'
membership_filter = "(member=%{control:Ldap-UserDn})"
membership_attribute = 'memberOf'
}
tls {
start_tls = no
ca_file = "/etc/openldap/certs/ldap_certs.pem"
require_cert = "demand"
}
dictionary_mapping = ${confdir}/ldap.attrmap
keepalive {
idle = 60
probes = 3
interval = 3
}
}
Policy:
check_ldap_group_vpn {
if (&ldap1-LDAP-Group[*] ==
"CN=group,OU=Groups,OU=OU,OU=OU,DC=DOMAIN,DC=DC,DC=DC") {
ok
}
else {
reject
}
}
In sites-enabled for radius, I have specify this:
authorize {
suffix
guard_vpn_file
Autz-Type LDAPS-VPN {
redundant {
ldap1
ldap2
}
check_ldap_group_vpn
expiration
}
}
Authentication is not working. Here are logs:
rlm_ldap (ldap1): Reserved connection (0)
(392) ldap1: EXPAND (sAMAccountName=%{User-Name})
(392) ldap1: --> (sAMAccountName=user)
(392) ldap1: Performing search in "ou=ou,dc=domain,dc=dc,dc=dc" with
filter "(sAMAccountName=user)", scope "sub"
(392) ldap1: Waiting for search result...
(392) ldap1: User object found at DN "..."
rlm_ldap (ldap1): Released connection (0)
(392) [ldap1] = ok
(392) } # redundant = ok
(392) policy check_ldap_group_vpn {
(392) if (&ldap1-LDAP-Group[*] ==
"cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") {
(392) Searching for user in group
"cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"
rlm_ldap (ldap1): Reserved connection (0)
(392) Using user DN from request "CN=user"
rlm_ldap (ldap1): Released connection (0)
(392) User is not a member of
"cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"
(392) if (&ldap1-LDAP-Group[*] ==
"cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") -> FALSE
(392) elsif (&ldap2-LDAP-Group[*] ==
"cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") {
(392) Searching for user in group
"cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"
rlm_ldap (ldap2): Reserved connection (0)
(392) Using user DN from request "CN=user"
rlm_ldap (ldap2): Released connection (0)
(392) User is not a member of
"cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"
(392) elsif (&ldap2-LDAP-Group[*] ==
"cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") -> FALSE
(392) else {
(392) [reject] = reject
(392) } # else = reject
(392) } # policy check_ldap_group_vpn = reject
(392) } # Autz-Type LDAPS-VPN = reject
User is member of group. Same configuration we are having for other
domain and its working.
Thank you for any advise!
Best, Erik
More information about the Freeradius-Users
mailing list