Freeradius+AD - Login with EmployeeID
Rodrigo Abrantes Antunes
rodrigoantunes at pelotas.ifsul.edu.br
Mon Aug 7 14:33:10 UTC 2023
These are the filters I'm using:
filter in freeradius (work) =
(sAMAccountName=%{mschap_default:User-Name:-%{User-Name}})
filter in ldapsearch (work) = (sAMAccountName=rodrigoantunes)
filter in freeradius (don't work) =
(employeeID=%{mschap_default:User-Name:-%{User-Name}})
filter in ldap search (work) = (employeeID=1638828)
The expanded filters in the logs are right, so I don't know why it
isn't working;
The FreeRADIUS version is 2.2.5. I know it is old, we are currently
working on a new one, but we need to make this work until the new is
ready.
Citando Alan DeKok <aland at deployingradius.com>:
> On Aug 7, 2023, at 10:01 AM, Rodrigo Abrantes Antunes
> <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
>> Hello, I have a freeradius server authenticating users with active
>> directory, the users login with the samaccountname.
>>
>> This is the ldap filter:
>> (sAMAccountName=%{mschap_default:User-Name:-%{User-Name}})
>>
>> Now I need to enable the users to login with the employeeID.
>>
>> This is the ldap filter I tried:
>> (employeeID=%{mschap_default:User-Name:-%{User-Name}})"
>>
>> The filter works in ldapsearch but not in freeradius.
>
> OK...
>
>> # Executing section authorize from file
>> /etc/freeradius/sites-enabled/default
>> Mon Aug 7 10:23:44 2023 : Debug: +group authorize {
>> Mon Aug 7 10:23:44 2023 : Debug: [ad_all] performing user
>> authorization for 1638828
>> Mon Aug 7 10:23:44 2023 : Debug: [ad_all] expand:
>> (employeeID=%{mschap_default:User-Name:-%{User-Name}}) ->
>> (employeeID=1638828)
>> Mon Aug 7 10:23:44 2023 : Debug: [ad_all] expand:
>> DC=xx,DC=xx,DC=xx,DC=xx -> DC=xx,DC=xx,DC=xx,DC=xx
>> Mon Aug 7 10:23:44 2023 : Debug: ++[ad_all] = fail
>> ...
>> Why freeradius can't filter with the employeeID attribute?
>
> It can. The filters you're giving to FreeRADIUS are different from
> the filters you're using in ldapsearch.
>
> There are instructions in mods-available/ldap which say how to take
> the filters, etc. from the ldap module configuration, and then use
> them in ldapsearch. This lets you debug the exact parameters used
> by the server.
>
> And which version are you running? That debug output looks very
> old. If you're running a version which is 5+ years old... please
> upgrade. It will be much better.
>
> Alan DeKok.
>
> -List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list