Prev Previous Post   Next Post Next
  #1  
Old 15th November 2011, 03:48
heinkonijn heinkonijn is offline
Junior Member
  
Join Date: Nov 2011
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default Bug in freeradius 2?
I ran into an issue with freeradius 2 and LDAP (eDirectory) groups.

Authentication is working properly, just not reading the group memberships.

I have this rule in /etc/raddb/users

DEFAULT LDAP-Group!="cn=remote,ou=Groups,o=ABC", Auth-Type:=Reject
Reply-Message="You are not allowed to connect"

When I do a LDAP trace on the LDAP server I get this:

15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended on connection 0xca20780
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.13
15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) Sending operation result 0:"":"" to connection 0xca20780
15:08:47 90490BA0 LDAP: (10.48.5.240:39601)(0x0002:0x63) Activating pending operation 0x2:0x63 on connection 0xccf1780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) DoSearch on connection 0xca20780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Search request:
base: "ou=USERS,o=ABC"
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
filter: "(uid=user)"
attribute: "dn"
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) DoSearch on connection 0xca20780
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Search request:
base: "cn=remote,ou=Groups,o=ABC"
scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
filter: "(|(&(objectClass=GroupOfNames)(member=))(&(ob ject Class=GroupOfUniqueNames)(uniquemember=)))"
attribute: "dn"
15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Sending operation result 0:"":"" to connection 0xca20780
15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) DoSearch on connection 0xca20780
15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) Search request:

So freeradius thinks the user is not a member.


I have found what the issue is.

There is a filter in modules/ldap wich says this:
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"

But it looks like the variable %{Ldap-UserDn} just doesn't work...
I reworked the filter a bit to this:
groupmembership_filter = "(&(objectClass=GroupOfNames)(member=cn=%{User-Name},ou=users,o=ABC))"

This is working now, but only for one container, fortunately all the users who use RADIUS are in this container, so it's OK for now, but it's not the best solution.

Any suggestions about this?
Reply With Quote
Sponsored Links
 

Bookmarks

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Freeradius configure issue SaFi2266 HOWTO-Related Questions 5 24th July 2011 07:32
Freeradius and Mysql uvstudios HOWTO-Related Questions 3 19th November 2010 03:47
Step 11 Error:rpmbuild -ba postfix.spec tgxg00 Installation/Configuration 7 22nd April 2009 15:16
Chillispot login failed - Freeradius sql error? mrcs9 HOWTO-Related Questions 0 30th November 2008 20:02
Configure the SSH Gateway + Wiki-D mchuahan Server Operation 3 1st April 2008 10:10


All times are GMT +2. The time now is 17:23.

Contact Us - HowtoForge - Linux Howtos and Tutorials - Archive - Top

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2013, vBulletin Solutions, Inc.