Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Freeradius ldap group filter issue

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      astatine
      last edited by

      Hallo everyone,

      I have a problem with the filter configration for freeradius towards openldap (univention).

      Below ist the user information in ldap:

      dn: cn=Wlan,cn=groups,dc=company,dc=de
sambaGroupType: 2
cn: Wlan
objectClass: top
objectClass: univentionGroup
objectClass: posixGroup
objectClass: univentionObject
objectClass: sambaGroupMapping
univentionObjectType: groups/group
sambaSID: S-1-4-5075
gidNumber: 5075
univentionGroupType: -2147483646
memberUid: testusername
uniqueMember: uid=testusername,cn=users,dc=company,dc=de

      dn: uid=testusername,cn=users,dc=company,dc=de
objectClass: krb5KDCEntry
objectClass: person
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: organizationalPerson
objectClass: univentionPWHistory
objectClass: univentionMail
objectClass: univentionSAMLEnabled
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: posixAccount
objectClass: univentionObject
uidNumber: 2353
sambaAcctFlags: [U          ]
sambaPasswordHistory: XXXXX
krb5MaxLife: 86400
shadowLastChange: 17038
userPassword:: XXXXX
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
sambaPwdLastSet: 1472109464
sambaSID: S-1-4-2353
homeDirectory: /home/test
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-346590868-2059219292-2764211690-513
mailPrimaryAddress: test@company.de
uid: testusername
cn: Testvorname Testnachname
sn: Testnachname
givenName: Testvorname
gecos: Testvorname Testnachname
displayName: Testvorname Testnachname

      The user (testusername) is in serval group, so the configuration without group filter below works fine.

      Server 192.168.191.20
Port 389
Identity uid=ldapsearchuser,cn=users,dc=company,dc=de
Password ••••••••••••
Basedn dc=company,dc=de
Filter (uid=%{%{Stripped-User-Name}:-%{User-Name}})
Base Filter (objectclass=person)

      but the problem is the group filter, I want only the user from group "Wlan" can pass throught. How can i configure here? I have tried so many combinations. But no one works.

      Groupname Attribute cn
      Groupmembership Filter (|(&(objectClass=posixGroup)(member=cn=Wlan,cn=groups,dc=company,dc=de))(&(objectClass=posixAccount)(uniqueMember=%{control:Ldap-UserDn})))
      Groupmembership Attribute Wlan

      Can anyone help me with the group filter? already 5 days…no progress
      Thank you in advance!

      1 Reply Last reply Reply Quote 0
      • A
        Anfänger
        last edited by

        Stills seems to be a bug in the freeradius implementation of LDAP-Auhtorize.
        See my post here : https://forum.pfsense.org/index.php?topic=82209.msg566789#msg566789
        and this : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.