ldap xlat syntax
Christopher Nighswonger
chris.nighswonger at gmail.com
Fri Apr 26 19:42:05 UTC 2024
G'day,
Background:
Debian GNU/Linux 11 (bullseye)
FreeRADIUS Version 3.0.21
Samba Version 4.16.11-Debian (AD)
Freeradius does user authentication against the Samba AD backend using
ntlm_auth/mschapv2 and this works flawlessly.
Problem:
I'm looking at the doc for ldap xlat syntax:
https://wiki.freeradius.org/modules/Rlm_ldap#ldap-xlat
The following ldapsearch query works and returns a list of
sAMAccountNames which are members of the 'staff' group.
ldapsearch -D "cn=Administrator,cn=Users,dc=foo,dc=bar,dc=com" -w
super_secret! -h "localhost" -b "cn=Users,dc=foo,dc=bar,dc=com" -s sub
"(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))"
sAMAccountName
I am trying to replicate this in an ldap xlate inside the post-auth
section like so:
update reply {
Reply-Message += "AD-Group:
%{ldap:ldap:///cn=Users,dc=foo,dc=bar,dc=com?(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))?sAMAccountName}",
}
However, freeradius complains:
(12) update reply {
(12) ERROR: Parsing LDAP URL failed
(12) EXPAND AD-Group:
%{ldap:ldap:///cn=Users,dc=foo,dc=bar,dc=com?(&(objectclass=user)(memberOf=CN=staff,CN=Users,DC=foo,DC=bar,DC=com))?sAMAccountName}
(12) --> AD-Group:
(12) Reply-Message += AD-Group:
Questions:
1. Is this sort of query possible using ldap xlat?
2. If so, am I missing something obvious?
3. Is there a way to test/debug ldap xlat expressions which is more
efficient/simple than embedding them in the config and testing?
Thanks,
Chris
More information about the Freeradius-Users
mailing list