Freeradius ldap group filter issue
-
Hallo everyone,
I have a problem with the filter configration for freeradius towards openldap (univention).
Below ist the user information in ldap:
dn: cn=Wlan,cn=groups,dc=company,dc=de sambaGroupType: 2 cn: Wlan objectClass: top objectClass: univentionGroup objectClass: posixGroup objectClass: univentionObject objectClass: sambaGroupMapping univentionObjectType: groups/group sambaSID: S-1-4-5075 gidNumber: 5075 univentionGroupType: -2147483646 memberUid: testusername uniqueMember: uid=testusername,cn=users,dc=company,dc=de
dn: uid=testusername,cn=users,dc=company,dc=de objectClass: krb5KDCEntry objectClass: person objectClass: automount objectClass: top objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: organizationalPerson objectClass: univentionPWHistory objectClass: univentionMail objectClass: univentionSAMLEnabled objectClass: shadowAccount objectClass: krb5Principal objectClass: posixAccount objectClass: univentionObject uidNumber: 2353 sambaAcctFlags: [U ] sambaPasswordHistory: XXXXX krb5MaxLife: 86400 shadowLastChange: 17038 userPassword:: XXXXX krb5MaxRenew: 604800 krb5KeyVersionNumber: 1 loginShell: /bin/bash univentionObjectType: users/user krb5KDCFlags: 126 sambaPwdLastSet: 1472109464 sambaSID: S-1-4-2353 homeDirectory: /home/test gidNumber: 5001 sambaPrimaryGroupSID: S-1-5-21-346590868-2059219292-2764211690-513 mailPrimaryAddress: test@company.de uid: testusername cn: Testvorname Testnachname sn: Testnachname givenName: Testvorname gecos: Testvorname Testnachname displayName: Testvorname Testnachname
The user (testusername) is in serval group, so the configuration without group filter below works fine.
Server 192.168.191.20 Port 389 Identity uid=ldapsearchuser,cn=users,dc=company,dc=de Password •••••••••••• Basedn dc=company,dc=de Filter (uid=%{%{Stripped-User-Name}:-%{User-Name}}) Base Filter (objectclass=person)
but the problem is the group filter, I want only the user from group "Wlan" can pass throught. How can i configure here? I have tried so many combinations. But no one works.
Groupname Attribute cn
Groupmembership Filter (|(&(objectClass=posixGroup)(member=cn=Wlan,cn=groups,dc=company,dc=de))(&(objectClass=posixAccount)(uniqueMember=%{control:Ldap-UserDn})))
Groupmembership Attribute WlanCan anyone help me with the group filter? already 5 days…no progress
Thank you in advance! -
Stills seems to be a bug in the freeradius implementation of LDAP-Auhtorize.
See my post here : https://forum.pfsense.org/index.php?topic=82209.msg566789#msg566789
and this : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428