Azure AD LDAP / memberOf / Not all groups being assigned to control:LDAP-Group
Mike Mercier
mmercier at gmail.com
Thu Mar 7 18:01:59 UTC 2024
Hello,
Freeradius info:
freeradius -v
radiusd: FreeRADIUS Version 3.0.20, for host x86_64-pc-linux-gnu, built on
Jan 4 2023 at 03:22:36
FreeRADIUS Version 3.0.20
more /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.6 LTS"
I've been using pfSense + OpenVPN + FreeRadius, using an Azure AD LDAP
backend successfully for quite a while now. This morning I had a user
reach out to let me know they are unable to access specific resources via
the OpenVPN client. As part of the post-auth, I am creating a Cisco-AVPair
to dynamically create rules in pf, this is (was?) working as expected.
What I discovered after some digging is that the 'control:LDAP-Group'
variable is not being assigned all the groups the user is a member of.
Since some groups are missing from the result, some of the post-auth group
checks are never hit, so the firewall rule is not being added to the
Cisco-AVPair
ex:
I have the following in the 'ldap' module
server = 'ldaps://ldaps.domain.com'
identity = '<username>@domain.com'
password = '<password>'
base_dn = 'dc=domain,dc=com'
If I do an ldapsearch for the user using the variables above:
ldapsearch -D '$identiry' -w '$password -H '$server' -b '$base_dn'
'(&(objectClass=user)(sAMAccountName=<username>))' memberOf | grep
^memberOf | wc -l
The command returns 112 groups for the user I have queried.
When I run 'freeradius -f -XXX', and monitor the output for the above users
login, the number of groups assigned to control:LDAP-Group is only 65.
I have a different user who is a member of 70 groups, testing with that
user I see the same result from the 'freeradius -f -XXX' output for this
user as well, only 65 groups.
Has anyone else experienced this? Is there a knob I have to tune somewhere
that I am unaware of?
Thanks,
Mike
More information about the Freeradius-Users
mailing list