(no subject)

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

(no subject)

Robert Graham

Dustin,

Thanks for the response.  I was kind of wondering if the location of the group in Active Directory was an issue.  But that brings up another question.  Doesn't a ldapsearch use the basedn as a starting point?  If instance, I have the basedn set as follows in radiusd.conf:

basedn = "ou=mem users,dc=mem-ins,dc=com"

And the structure of our AD is:

MEM-INS.COM
    |
    |
    |_MEM Users
          |
          |
          |
          |











And why is it that it can find the user "rgraham" but not the group. 



> I'm trying to get Freeradius configured to authenicate our vpn users
> from a Cisco 3005 concentrator against Active Directory using the ldap
> module.  When I authenicated a vpn user on a per user basis - it works
> fine.  However, I want authenicate not only the user, but also verify
> that the user is a member of a "group" in active directory.  I was
> following Dustin Doris's suggestion on Per-Client "group" matching and
> configured the huntgroups, users, and radiusd.conf accordingly.
> However, it seems to fail doing a group lookup.  I don't know if it
> matters, but the user object and group object in Active Directory are in
> different containers (OU's).  Any help would be appreciated.
>

You need to specify where the groups are located in AD.

> rlm_ldap: Entering ldap_groupcmp() radius_xlat:  'ou=mem
> users,dc=mem-ins,dc=com' radius_xlat:
> '(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com)))' rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mem
> users,dc=mem-ins,dc=com, with filter
> (&(cn=MEMVPNFlex)(|(&(objectClass=GroupOfNames)(member=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Rgraham,OU=Columbia,OU=MEM
> Users,DC=mem-ins,DC=com)))) rlm_ldap: object not found or got ambiguous
> search result rlm_ldap: ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group MEMVPNFlex not found or user is not a
> member.
>     users: Matched DEFAULT at 166

The user was not found in that group, based on the lookup above.

>  groupname_attribute = cn
>  groupmembership_filter =
>  "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))
>   (&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>  groupmembership_attribute = radiusGroupName

You have to modify these so you can find the group memberships.  For
example, how would you perform an ldapsearch from the command line to
find group memberships?  Take that info and put it there.  Make sure the
user you are binding with has access to read those groups.

Hope that is a little helpful.




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: (no subject)

Dusty Doris
On Fri, 17 Jun 2005, Graham, Robert wrote:

> Dustin,
>
> Thanks for the response.  I was kind of wondering if the location of the
> group in Active Directory was an issue.  But that brings up another
> question.  Doesn't a ldapsearch use the basedn as a starting point?  If
> instance, I have the basedn set as follows in radiusd.conf:
>
> basedn = "ou=mem users,dc=mem-ins,dc=com"
>
> And the structure of our AD is:
>
> MEM-INS.COM
>     |
>     |
>     |_MEM Users
>           |
>           |
>           |
>           |

Where are the groups at?  Are they under ou=mem users?  If so, you are
correct, you should be able to find it in your search.

>
>
> And why is it that it can find the user "rgraham" but not the group.
>

Either the ldap search query you have setup in radiusd.conf is incorrect,
or perhaps the user you are binding with doesn't have permissions to
search the groups?

Can you post an example, of what a group member would look like in AD?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html