Unable to Find Active Directory Group using LDAP Group Lookup module
Ibrahim Almahfooz
ibrahim.nezar at sevennet.net
Tue Oct 8 18:35:01 UTC 2024
Found the issue, my bad didn't read the comment of the user section I was
focusing on the group section only.
it was related to uid and samaccountname in the filter of the user section
inside the ldap module:
Instead of the original filter:
## filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
I updated to this filter:
filter = "(samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})"
Thanks for guidance Alan
On Tue, 8 Oct 2024 at 17:23, Ibrahim Almahfooz <ibrahim.nezar at sevennet.net>
wrote:
> Hello,
>
> We have successfully integrated our FreeRADIUS Version 3.2.6 with active
> directory using ntlm_auth module and also enabled sqlcounter to permit
> users with specific daily limit. All working well. However, part of the
> requirements is to give a specific time quota to users who are part of a
> specific AD group, which we guess is a common use case.
>
> To achieve this, we also integrated FR with ldap by using FreeRadius-ldap
> package and we populated the ldap configuration file with below:
>
> ldap section:
>
> server = '192.168.1.1'
> identity = 'cn=test,cn=Users,dc=domain,dc=com'
> password = 'xxxxxx'
> base_dn = 'CN=users,DC=domain,DC=com'
>
> ldap Group section:
> (As-is)
>
> In the Authorize or Post-Auth section we added below:
>
> if (LDAP-Group == "Office-VPN") {
> update reply {
> Reply-Message := "test reply"
> }
> }
>
>
> When we run radiusd -X, the ldap part is executed in the authorize section
> however it says "Search returned no results":
>
> (1) authorize {
> (1) if (LDAP-Group == "Office-VPN") {
> (1) Searching for user in group "Office-VPN"
> rlm_ldap (ldap): Reserved connection (1)
> (1) EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
> (1) --> (uid=test)
> (1) Performing search in "CN=users,DC=domain,DC=com" with filter
> "(uid=test)", scope "sub"
> (1) Waiting for search result...
> (1) Search returned no results
> rlm_ldap (ldap): Released connection (1)
> Need more connections to reach 10 spares
> rlm_ldap (ldap): Opening additional connection (6), 1 of 26 pending slots
> used
> rlm_ldap (ldap): Connecting to ldap://192.168.1.1:389
> rlm_ldap (ldap): Waiting for bind result...
> rlm_ldap (ldap): Bind successful
> (1) if (LDAP-Group == "Office-VPN") -> FALSE
>
>
> In our active directory the user "test" is part of the "Office-VPN" group
> and both the user and group are inside "cn=Users,dc=domain,dc=com"
>
> Also when we run the ldapsearch command from within FR machine, we get
> positive results:
> ldapsearch -x -b "cn=Users,dc=domain,dc=com" -D
> "cn=test,cn=Users,dc=domain,dc=com" -h 192.168.1.1-w "xxxxxx"
> '(&(cn=Office-VPN))'
> # extended LDIF
> #
> # LDAPv3
> # base <cn=Users,dc=domain,dc=com> with scope subtree
> # filter: (&(cn=Office-VPN))
> # requesting: ALL
> #
>
> # Office-VPN, Users, domain.com
> dn: CN=Office-VPN,CN=Users,DC= domain,DC=com
> objectClass: top
> objectClass: group
> cn: Office-VPN
> member: CN=test,CN=Users,DC=domain,DC=com
> distinguishedName: CN=Office-VPN,CN=Users,DC=domain,DC=com
> instanceType: 4
> whenCreated: 20241008110114.0Z
> whenChanged: 20241008131130.0Z
> uSNCreated: 134205037
> uSNChanged: 134208547
> name: Office-VPN
> objectGUID:: bJ2ut8zDLUu8jhVkbMh7mQ==
> objectSid:: AQUAAAAAAAUVAAAAEBY0cDMJoyrnPWkPzxYAAA==
> sAMAccountName: Office-VPN
> sAMAccountType: 268435456
> groupType: -2147483646
> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=domain,DC=com
> dSCorePropagationData: 20241008120926.0Z
> dSCorePropagationData: 20241008114220.0Z
> dSCorePropagationData: 16010101000000.0Z
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> What do you think could be the issue?
>
> By the way, we also tried to change the parameter like filter =
> '(objectClass=posixGroup)' to use filter = '(objectClass=group)' and that
> didn't work either.
>
> Appreciate your help
>
>
--
Ibrahim Abdulatif
IT and EPC Core Signaling Manager
Sevennet Layers Co., LTD.
+964 (0) 53 511 5514 <+964+(0)+53+511+5514> | +964 (0) 770 471 5514
<+964+(0)+770+471+5514>
www.sevennet.net
2nd Floor, Faruk Investment Group, Salim Street, Sulaymaniyah, Iraq
More information about the Freeradius-Users
mailing list