Freeradius+AD - Login with EmployeeID

Rodrigo Abrantes Antunes rodrigoantunes at pelotas.ifsul.edu.br
Mon Aug 7 14:33:10 UTC 2023 

These are the filters I'm using:

filter in freeradius (work) =  
(sAMAccountName=%{mschap_default:User-Name:-%{User-Name}})
filter in ldapsearch (work) = (sAMAccountName=rodrigoantunes)

filter in freeradius (don't work) =  
(employeeID=%{mschap_default:User-Name:-%{User-Name}})
filter in ldap search (work) = (employeeID=1638828)

The expanded filters in the logs are right, so I don't know why it  
isn't working;

The FreeRADIUS version is 2.2.5. I know it is old, we are currently  
working on a new one, but we need to make this work until the new is  
ready.

Citando Alan DeKok <aland at deployingradius.com>:

> On Aug 7, 2023, at 10:01 AM, Rodrigo Abrantes Antunes  
> <rodrigoantunes at pelotas.ifsul.edu.br> wrote:
>> Hello, I have a freeradius server authenticating users with active  
>> directory, the users login with the samaccountname.
>>
>> This is the ldap filter:  
>> (sAMAccountName=%{mschap_default:User-Name:-%{User-Name}})
>>
>> Now I need to enable the users to login with the employeeID.
>>
>> This is the ldap filter I tried:  
>> (employeeID=%{mschap_default:User-Name:-%{User-Name}})"
>>
>> The filter works in ldapsearch but not in freeradius.
>
> OK...
>
>> # Executing section authorize from file  
>> /etc/freeradius/sites-enabled/default
>> Mon Aug  7 10:23:44 2023 : Debug: +group authorize {
>> Mon Aug  7 10:23:44 2023 : Debug: [ad_all] performing user  
>> authorization for 1638828
>> Mon Aug  7 10:23:44 2023 : Debug: [ad_all]      expand:  
>> (employeeID=%{mschap_default:User-Name:-%{User-Name}}) ->  
>> (employeeID=1638828)
>> Mon Aug  7 10:23:44 2023 : Debug: [ad_all]      expand:  
>> DC=xx,DC=xx,DC=xx,DC=xx -> DC=xx,DC=xx,DC=xx,DC=xx
>> Mon Aug  7 10:23:44 2023 : Debug: ++[ad_all] = fail
>> ...
>> Why freeradius can't filter with the employeeID attribute?
>
> It can.  The filters you're giving to FreeRADIUS are different from  
> the filters you're using in ldapsearch.
>
> There are instructions in mods-available/ldap which say how to take  
> the filters, etc. from the ldap module configuration, and then use  
> them in ldapsearch.  This lets you debug the exact parameters used  
> by the server.
>
> And which version are you running?  That debug output looks very  
> old.  If you're running a version which is 5+ years old... please  
> upgrade.  It will be much better.
>
> Alan DeKok.
>
> -List info/subscribe/unsubscribe? See  
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list