Bug in freeradius 2?

Discussion in 'Server Operation' started by heinkonijn, Nov 15, 2011.

  1. heinkonijn

    heinkonijn New Member

    I ran into an issue with freeradius 2 and LDAP (eDirectory) groups.

    Authentication is working properly, just not reading the group memberships.

    I have this rule in /etc/raddb/users

    DEFAULT LDAP-Group!="cn=remote,ou=Groups,o=ABC", Auth-Type:=Reject
    Reply-Message="You are not allowed to connect"

    When I do a LDAP trace on the LDAP server I get this:

    15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
    15:08:42 9353CBA0 LDAP: (10.60.1.12:53889)(0x0004:0x63) Sending operation result 0:"":"" to connection 0xca20780
    15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended on connection 0xca20780
    15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) DoExtended: Extension Request OID: 2.16.840.1.113719.1.39.42.100.13
    15:08:42 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0005:0x77) Sending operation result 0:"":"" to connection 0xca20780
    15:08:47 90490BA0 LDAP: (10.48.5.240:39601)(0x0002:0x63) Activating pending operation 0x2:0x63 on connection 0xccf1780
    15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) DoSearch on connection 0xca20780
    15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Search request:
    base: "ou=USERS,o=ABC"
    scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
    filter: "(uid=user)"
    attribute: "dn"
    15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending search result entry "cn=user,ou=Users,o=ABC" to connection 0xca20780
    15:08:48 94360BA0 LDAP: (10.60.1.12:53889)(0x0006:0x63) Sending operation result 0:"":"" to connection 0xca20780
    15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) DoSearch on connection 0xca20780
    15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Search request:
    base: "cn=remote,ou=Groups,o=ABC"
    scope:2 dereference:0 sizelimit:0 timelimit:3 attrsonly:0
    filter: "(|(&(objectClass=GroupOfNames)(member=))(&(object Class=GroupOfUniqueNames)(uniquemember=)))"
    attribute: "dn"
    15:08:48 B6AEABA0 LDAP: (10.60.1.12:53889)(0x0007:0x63) Sending operation result 0:"":"" to connection 0xca20780
    15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) DoSearch on connection 0xca20780
    15:08:48 9353CBA0 LDAP: (10.60.1.12:53889)(0x0008:0x63) Search request:

    So freeradius thinks the user is not a member.


    I have found what the issue is.

    There is a filter in modules/ldap wich says this:
    groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"

    But it looks like the variable %{Ldap-UserDn} just doesn't work...
    I reworked the filter a bit to this:
    groupmembership_filter = "(&(objectClass=GroupOfNames)(member=cn=%{User-Name},ou=users,o=ABC))"

    This is working now, but only for one container, fortunately all the users who use RADIUS are in this container, so it's OK for now, but it's not the best solution.

    Any suggestions about this?
     

Share This Page