View Single Post
  #1  
Old 15th November 2011, 04:48
heinkonijn heinkonijn is offline
Junior Member
 
Join Date: Nov 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Bug in freeradius 2?

I ran into an issue with freeradius 2 and LDAP (eDirectory) groups.

Authentication is working properly, just not reading the group memberships.

I have this rule in /etc/raddb/users

DEFAULT LDAP-Group!="cn=remote,ou=Groups,o=ABC", Auth-Type:=Reject
Reply-Message="You are not allowed to connect"

When I do a LDAP trace on the LDAP server I get this:

15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended on connection 0xca20780
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.13
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) Sending operation result 0:"":"" to connection 0xca20780
15:08:47 90490BA0 LDAP: (10.48.5.240:39601)(0x0002:0x63) Activating pending operation 0x2:0x63 on connection 0xccf1780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) DoSearch on connection 0xca20780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Search request:
base: "ou=USERS,o=ABC"
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
filter: "(uid=user)"
attribute: "dn"
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) DoSearch on connection 0xca20780
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Search request:
base: "cn=remote,ou=Groups,o=ABC"
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
filter: "(|(&(objectClass=GroupOfNames)(member=))(&(ob ject Class=GroupOfUniqueNames)(uniquemember=)))"
attribute: "dn"
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) DoSearch on connection 0xca20780
15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) Search request:

So freeradius thinks the user is not a member.


I have found what the issue is.

There is a filter in modules/ldap wich says this:
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"

But it looks like the variable %{Ldap-UserDn} just doesn't work...
I reworked the filter a bit to this:
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=cn=%{User-Name},ou=users,o=ABC))"

This is working now, but only for one container, fortunately all the users who use RADIUS are in this container, so it's OK for now, but it's not the best solution.

Any suggestions about this?
Reply With Quote
Sponsored Links