Problem with limiting users to group in Active Directory
Erik Frangež
erik at frangez.net
Tue Nov 30 22:06:40 CET 2021
Hi guys,
I am still having problems to check if user is member of group... here
is cut from logs where is comparison:
(31) ldap1-vpn-student: EXPAND (sAMAccountName=%{User-Name})
(31) ldap1-vpn-student: --> (sAMAccountName=erik.frangez1)
(31) ldap1-vpn-student: Performing search in "ou=um,dc=loki,dc=um,dc=si"
with filter "(sAMAccountName=erik.frangez1)", scope "sub"
(31) ldap1-vpn-student: Waiting for search result...
(31) ldap1-vpn-student: User object found at DN "CN=Erik
Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si"
rlm_ldap (ldap1-vpn-student): Released connection (0)
(31) [ldap1-vpn-student] = ok
(31) } # redundant = ok
(31) policy check_ldap_group_vpn {
(31) if (&ldap1-student-um-LDAP-Group[*] ==
"cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") {
(31) Searching for user in group
"cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si"
rlm_ldap (ldap1-student-um): Reserved connection (0)
(31) Using user DN from request "CN=Erik
Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si"
rlm_ldap (ldap1-student-um): Released connection (0)
(31) User is not a member of
"cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si"
(31) if (&ldap1-student-um-LDAP-Group[*] ==
"cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") -> FALSE
(31) elsif (&ldap2-student-um-LDAP-Group[*] ==
"cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") {
(31) Searching for user in group
"cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si"
rlm_ldap (ldap2-student-um): Reserved connection (0)
(31) Using user DN from request "CN=Erik
Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si"
rlm_ldap (ldap2-student-um): Released connection (0)
(31) User is not a member of
"cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si"
(31) elsif (&ldap2-student-um-LDAP-Group[*] ==
"cn=idm_vpn,ou=groups,ou=quest,ou=um,dc=loki,dc=um,dc=si") -> FALSE
(31) else {
(31) [reject] = reject
(31) } # else = reject
(31) } # policy check_ldap_group_vpn = reject
(31) } # Autz-Type LDAPS-VPN-STUDENT = reject
If I run ldapsearch we could see that user is member of group, here:
# IDM_VPN, Groups, QUEST, UM, loki.um.si
dn: CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si
objectClass: top
objectClass: group
cn: IDM_VPN
description::
U2t1cGluYSBqZSBuYW1lbmplbmEgZG9zdG9wdSDFoXR1ZGVudG92IGRvIHN0b3Jp
dGV2IFZQTi4gWiBuam8gdXByYXZsamEgSURNLg==
member: CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si
distinguishedName: CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si
instanceType: 4
whenCreated: 20211118102555.0Z
Please help me!
Best, Erik
On 11/29/21 9:38 PM, Alan DeKok wrote:
> And I didn't notice in my last reply...
>
> don't email me off-list. The purpose of the list is to let everyone ELSE see what problems are being solved. Email the list.
>
> Any further emails sent directly to me will be ignored.
>
>> On Nov 29, 2021, at 3:07 PM, Erik Frangež <erik at frangez.net> wrote:
>>
>> Can you please help me? Thank you!
>>
>>
>>
>> -------- Posredovano sporočilo --------
>> Zadeva: Re: Problem with limiting users to group in Active Directory
>> Datum: Sun, 28 Nov 2021 21:45:47 +0100
>> Od: Erik Frangež <erik at frangez.net>
>> Za: Alan DeKok <aland at deployingradius.com>
>>
>>
>> Hi Alan,
>>
>> here is whole log for one attempt:
>>
>> (74) Received Access-Request Id 42 from 164.8.15.42:54972 to 164.8.100.71:21812 length 71
>> (74) User-Name = "erik.frangez1"
>> (74) User-Password = "*******"
>> (74) Service-Type = Authenticate-Only
>> (74) NAS-Port = 0
>> (74) NAS-IP-Address = 164.8.15.40
>> (74) # Executing section authorize from file /etc/raddb/sites-enabled/guard_vpn_student
>> (74) authorize {
>> (74) suffix: Checking for suffix after "@"
>> (74) suffix: No '@' in User-Name = "erik.frangez1", looking up realm NULL
>> (74) suffix: Found realm "NULL"
>> (74) suffix: Adding Stripped-User-Name = "erik.frangez1"
>> (74) suffix: Adding Realm = "NULL"
>> (74) suffix: Authentication realm is LOCAL
>> (74) [suffix] = ok
>> (74) guard_vpn_student_file: users: Matched entry DEFAULT at line 1
>> (74) [guard_vpn_student_file] = ok
>> (74) } # authorize = ok
>> (74) Using Autz-Type LDAPS-VPN-STUDENT
>> (74) # Executing group from file /etc/raddb/sites-enabled/guard_vpn_student
>> (74) Autz-Type LDAPS-VPN-STUDENT {
>> (74) redundant {
>> (74) ldap1-vpn-student: EXPAND (sAMAccountName=%{User-Name})
>> (74) ldap1-vpn-student: --> (sAMAccountName=erik.frangez1)
>> (74) ldap1-vpn-student: Performing search in "ou=um,dc=loki,dc=um,dc=si" with filter "(sAMAccountName=erik.frangez1)", scope "sub"
>> (74) ldap1-vpn-student: Waiting for search result...
>> (74) ldap1-vpn-student: User object found at DN "CN=Erik Frangez,OU=Users,OU=FERI,OU=UM,DC=loki,DC=um,DC=si"
>> (74) [ldap1-vpn-student] = ok
>> (74) } # redundant = ok
>> (74) policy check_ldap_group_vpn_test {
>> (74) if (ldap1-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") {
>> (74) if (ldap1-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") -> FALSE
>> (74) elsif (ldap2-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") {
>> (74) elsif (ldap2-student-um-LDAP-Group == "CN=IDM_VPN,OU=Groups,OU=QUEST,OU=UM,DC=loki,DC=um,DC=si") -> FALSE
>> (74) else {
>> (74) [reject] = reject
>> (74) } # else = reject
>> (74) } # policy check_ldap_group_vpn_test = reject
>> (74) } # Autz-Type LDAPS-VPN-STUDENT = reject
>> (74) Invalid user: [erik.frangez1] (from client guard port 0)
>> (74) Using Post-Auth-Type Reject
>> (74) Post-Auth-Type sub-section not found. Ignoring.
>> (74) Delaying response for 1.000000 seconds
>> (74) Sending delayed response
>> (74) Sent Access-Reject Id 42 from 164.8.100.71:21812 to 164.8.15.42:54972 length 20
>> (74) Cleaning up request packet ID 42 with timestamp +19
>>
>>
>>
>> User is part of group IDM_VPN on domain LOKI...
>>
>> Thank you for help!
>>
>> Best, Erik
>>
>> On 11/28/21 7:33 PM, Alan DeKok wrote:
>>> On Nov 28, 2021, at 12:32 PM, Erik Frangež via Freeradius-Users <freeradius-users at lists.freeradius.org>
>>> wrote:
>>>
>>>> I am having problems with configuring Radius authentication limiting users to group in Active directory.
>>>>
>>>> Here is configuration of LDAP:
>>>>
>>> We don't need to see that.
>>>
>>> Read
>>> http://wiki.freeradius.org/list-help
>>>
>>>
>>>
>>>
>>>> In sites-enabled for radius, I have specify this:
>>>>
>>> We don't need to see that, either.
>>>
>>>
>>>> Authentication is not working. Here are logs:
>>>>
>>> Part of the logs. But whatever...
>>>
>>>
>>>> rlm_ldap (ldap1): Reserved connection (0)
>>>> (392) ldap1: EXPAND (sAMAccountName=%{User-Name})
>>>> (392) ldap1: --> (sAMAccountName=user)
>>>> (392) ldap1: Performing search in "ou=ou,dc=domain,dc=dc,dc=dc" with filter "(sAMAccountName=user)", scope "sub"
>>>> (392) ldap1: Waiting for search result...
>>>> (392) ldap1: User object found at DN "..."
>>>> rlm_ldap (ldap1): Released connection (0)
>>>> (392) [ldap1] = ok
>>>> (392) } # redundant = ok
>>>> (392) policy check_ldap_group_vpn {
>>>> (392) if (&ldap1-LDAP-Group[*] == "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc") {
>>>> (392) Searching for user in group "cn=group,ou=groups,ou=ou,ou=ou,dc=dc,dc=dc,dc=dc"
>>>>
>>> That seems wrong. "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" ? Why the repetition?
>>>
>>> The default configuration works. The file mods-available/ldap has detailed instructions for getting it working with Active Directory.
>>>
>>> Follow the instructions, and it should work.
>>>
>>>
>>>> User is member of group. Same configuration we are having for other domain and its working.
>>>>
>>> Is it *exactly* the same? i.e. with the same "ou=ou,ou=ou,dc=dc,dc=dc,dc=dc" repetition?
>>>
>>> Alan DeKok.
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list