Freeradius+AD - Login with EmployeeID
Rodrigo Abrantes Antunes
rodrigoantunes at pelotas.ifsul.edu.br
Mon Aug 7 14:01:58 UTC 2023
Hello, I have a freeradius server authenticating users with active
directory, the users login with the samaccountname.
This is the ldap filter:
(sAMAccountName=%{mschap_default:User-Name:-%{User-Name}})
Now I need to enable the users to login with the employeeID.
This is the ldap filter I tried:
(employeeID=%{mschap_default:User-Name:-%{User-Name}})"
The filter works in ldapsearch but not in freeradius.
# Executing section authorize from file /etc/freeradius/sites-enabled/default
Mon Aug 7 10:23:44 2023 : Debug: +group authorize {
Mon Aug 7 10:23:44 2023 : Debug: [ad_all] performing user
authorization for 1638828
Mon Aug 7 10:23:44 2023 : Debug: [ad_all] expand:
(employeeID=%{mschap_default:User-Name:-%{User-Name}}) ->
(employeeID=1638828)
Mon Aug 7 10:23:44 2023 : Debug: [ad_all] expand:
DC=xx,DC=xx,DC=xx,DC=xx -> DC=xx,DC=xx,DC=xx,DC=xx
Mon Aug 7 10:23:44 2023 : Debug: ++[ad_all] = fail
Mon Aug 7 10:23:44 2023 : Debug: +} # group authorize = fail
Mon Aug 7 10:23:44 2023 : Debug: Using Post-Auth-Type REJECT
Mon Aug 7 10:23:44 2023 : Debug: # Executing group from file
/etc/freeradius/sites-enabled/default
Mon Aug 7 10:23:44 2023 : Debug: +group REJECT {
Mon Aug 7 10:23:44 2023 : Debug: [attr_filter.access_reject]
expand: %{User-Name} -> 1638828
Mon Aug 7 10:23:44 2023 : Debug: ++[attr_filter.access_reject] = updated
Mon Aug 7 10:23:44 2023 : Debug: +} # group REJECT = updated
Why freeradius can't filter with the employeeID attribute?
Thanks.
More information about the Freeradius-Users
mailing list