Unable to Find Active Directory Group using LDAP Group Lookup module
Ibrahim Almahfooz
ibrahim.nezar at sevennet.net
Tue Oct 8 14:23:47 UTC 2024
Hello,
We have successfully integrated our FreeRADIUS Version 3.2.6 with active
directory using ntlm_auth module and also enabled sqlcounter to permit
users with specific daily limit. All working well. However, part of the
requirements is to give a specific time quota to users who are part of a
specific AD group, which we guess is a common use case.
To achieve this, we also integrated FR with ldap by using FreeRadius-ldap
package and we populated the ldap configuration file with below:
ldap section:
server = '192.168.1.1'
identity = 'cn=test,cn=Users,dc=domain,dc=com'
password = 'xxxxxx'
base_dn = 'CN=users,DC=domain,DC=com'
ldap Group section:
(As-is)
In the Authorize or Post-Auth section we added below:
if (LDAP-Group == "Office-VPN") {
update reply {
Reply-Message := "test reply"
}
}
When we run radiusd -X, the ldap part is executed in the authorize section
however it says "Search returned no results":
(1) authorize {
(1) if (LDAP-Group == "Office-VPN") {
(1) Searching for user in group "Office-VPN"
rlm_ldap (ldap): Reserved connection (1)
(1) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(1) --> (uid=test)
(1) Performing search in "CN=users,DC=domain,DC=com" with filter
"(uid=test)", scope "sub"
(1) Waiting for search result...
(1) Search returned no results
rlm_ldap (ldap): Released connection (1)
Need more connections to reach 10 spares
rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
used
rlm_ldap (ldap): Connecting to ldap://192.168.1.1:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(1) if (LDAP-Group == "Office-VPN") -> FALSE
In our active directory the user "test" is part of the "Office-VPN" group
and both the user and group are inside "cn=Users,dc=domain,dc=com"
Also when we run the ldapsearch command from within FR machine, we get
positive results:
ldapsearch -x -b "cn=Users,dc=domain,dc=com" -D
"cn=test,cn=Users,dc=domain,dc=com" -h 192.168.1.1-w "xxxxxx"
'(&(cn=Office-VPN))'
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=domain,dc=com> with scope subtree
# filter: (&(cn=Office-VPN))
# requesting: ALL
#
# Office-VPN, Users, domain.com
dn: CN=Office-VPN,CN=Users,DC= domain,DC=com
objectClass: top
objectClass: group
cn: Office-VPN
member: CN=test,CN=Users,DC=domain,DC=com
distinguishedName: CN=Office-VPN,CN=Users,DC=domain,DC=com
instanceType: 4
whenCreated: 20241008110114.0Z
whenChanged: 20241008131130.0Z
uSNCreated: 134205037
uSNChanged: 134208547
name: Office-VPN
objectGUID:: bJ2ut8zDLUu8jhVkbMh7mQ==
objectSid:: AQUAAAAAAAUVAAAAEBY0cDMJoyrnPWkPzxYAAA==
sAMAccountName: Office-VPN
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=com
dSCorePropagationData: 20241008120926.0Z
dSCorePropagationData: 20241008114220.0Z
dSCorePropagationData: 16010101000000.0Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
What do you think could be the issue?
By the way, we also tried to change the parameter like filter =
'(objectClass=posixGroup)' to use filter = '(objectClass=group)' and that
didn't work either.
Appreciate your help
More information about the Freeradius-Users
mailing list