Freeradius+AD - Login with EmployeeID

Mon Aug 7 14:14:20 UTC 2023

On Aug 7, 2023, at 10:01 AM, Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
> 
> Hello, I have a freeradius server authenticating users with active directory, the users login with the samaccountname.
> 
> This is the ldap filter: (sAMAccountName=%{mschap_default:User-Name:-%{User-Name}})
> 
> Now I need to enable the users to login with the employeeID.
> 
> This is the ldap filter I tried: (employeeID=%{mschap_default:User-Name:-%{User-Name}})"
> 
> The filter works in ldapsearch but not in freeradius.

  OK...

> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> Mon Aug  7 10:23:44 2023 : Debug: +group authorize {
> Mon Aug  7 10:23:44 2023 : Debug: [ad_all] performing user authorization for 1638828
> Mon Aug  7 10:23:44 2023 : Debug: [ad_all]      expand: (employeeID=%{mschap_default:User-Name:-%{User-Name}}) -> (employeeID=1638828)
> Mon Aug  7 10:23:44 2023 : Debug: [ad_all]      expand: DC=xx,DC=xx,DC=xx,DC=xx -> DC=xx,DC=xx,DC=xx,DC=xx
> Mon Aug  7 10:23:44 2023 : Debug: ++[ad_all] = fail
> ...
> Why freeradius can't filter with the employeeID attribute?

  It can.  The filters you're giving to FreeRADIUS are different from the filters you're using in ldapsearch.

  There are instructions in mods-available/ldap which say how to take the filters, etc. from the ldap module configuration, and then use them in ldapsearch.  This lets you debug the exact parameters used by the server.

  And which version are you running?  That debug output looks very old.  If you're running a version which is 5+ years old... please upgrade.  It will be much better.

  Alan DeKok.