Freeradius ldap group filter issue



  • Hallo everyone,

    I have a problem with the filter configration for freeradius towards openldap (univention).

    Below ist the user information in ldap:

    dn: cn=Wlan,cn=groups,dc=company,dc=de
    sambaGroupType: 2
    cn: Wlan
    objectClass: top
    objectClass: univentionGroup
    objectClass: posixGroup
    objectClass: univentionObject
    objectClass: sambaGroupMapping
    univentionObjectType: groups/group
    sambaSID: S-1-4-5075
    gidNumber: 5075
    univentionGroupType: -2147483646
    memberUid: testusername
    uniqueMember: uid=testusername,cn=users,dc=company,dc=de
    
    dn: uid=testusername,cn=users,dc=company,dc=de
    objectClass: krb5KDCEntry
    objectClass: person
    objectClass: automount
    objectClass: top
    objectClass: inetOrgPerson
    objectClass: sambaSamAccount
    objectClass: organizationalPerson
    objectClass: univentionPWHistory
    objectClass: univentionMail
    objectClass: univentionSAMLEnabled
    objectClass: shadowAccount
    objectClass: krb5Principal
    objectClass: posixAccount
    objectClass: univentionObject
    uidNumber: 2353
    sambaAcctFlags: [U          ]
    sambaPasswordHistory: XXXXX
    krb5MaxLife: 86400
    shadowLastChange: 17038
    userPassword:: XXXXX
    krb5MaxRenew: 604800
    krb5KeyVersionNumber: 1
    loginShell: /bin/bash
    univentionObjectType: users/user
    krb5KDCFlags: 126
    sambaPwdLastSet: 1472109464
    sambaSID: S-1-4-2353
    homeDirectory: /home/test
    gidNumber: 5001
    sambaPrimaryGroupSID: S-1-5-21-346590868-2059219292-2764211690-513
    mailPrimaryAddress: test@company.de
    uid: testusername
    cn: Testvorname Testnachname
    sn: Testnachname
    givenName: Testvorname
    gecos: Testvorname Testnachname
    displayName: Testvorname Testnachname
    

    The user (testusername) is in serval group, so the configuration without group filter below works fine.

    Server 192.168.191.20
    Port 389
    Identity uid=ldapsearchuser,cn=users,dc=company,dc=de
    Password ••••••••••••
    Basedn dc=company,dc=de
    Filter (uid=%{%{Stripped-User-Name}:-%{User-Name}})
    Base Filter (objectclass=person)
    

    but the problem is the group filter, I want only the user from group "Wlan" can pass throught. How can i configure here? I have tried so many combinations. But no one works.

    Groupname Attribute cn
    Groupmembership Filter (|(&(objectClass=posixGroup)(member=cn=Wlan,cn=groups,dc=company,dc=de))(&(objectClass=posixAccount)(uniqueMember=%{control:Ldap-UserDn})))
    Groupmembership Attribute Wlan

    Can anyone help me with the group filter? already 5 days…no progress
    Thank you in advance!



  • Stills seems to be a bug in the freeradius implementation of LDAP-Auhtorize.
    See my post here : https://forum.pfsense.org/index.php?topic=82209.msg566789#msg566789
    and this : https://forum.pfsense.org/index.php?topic=43675.msg515428#msg515428


Log in to reply