New subject: rlm_ldap fails to extract user groups but ldapsearch succeeds

4 Aug 2020


      Hello,
Everything is set up on the same machine as described here:
https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_...
I'm trying to check whether a user belongs to a group or not:
(0)    if (LDAP-Group == "someusers") {
(0)    Searching for user in group "someusers"
rlm_ldap (ldap): Reserved connection (6)
(0)    Using user DN from request "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local"
(0)    Checking for user in group objects
(0)      EXPAND (&(cn=someusers)(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))
(0)          --> (&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))
(0)      Performing search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local" with filter "(&(cn=someusers)(|(&(uid=common_user)(memberOf=cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local))))", scope "sub"
(0)      Waiting for search result...
(0)      Search returned no results
(0)    Checking user object's memberOf attributes
(0)      Performing unfiltered search in "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local", scope "base"
(0)      Waiting for search result...
(0)    No group membership attribute(s) found in user object
rlm_ldap (ldap): Released connection (6)
but
ldapsearch  -b "dc=domain,dc=local" "(&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))" -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=local> with scope subtree
# filter: (&(cn=someusers)(member=uid\3dcommon_user\2ccn\3dusers\2ccn\3daccounts\2cdc\3ddomain\2cdc\3dlocal))
# requesting: ALL
#
# someusers, groups, accounts, domain.local
dn: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
description: Default group for all users
cn: someusers
ipaUniqueID: ebca3046-a5a0-11ea-8166-9a6e275fb41f
member: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local
member: uid=very_special_user,cn=users,cn=accounts,dc=domain,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
and
ldapsearch  -b "uid=common_user,cn=users,cn=accounts,dc=domain,dc=local"  -D uid=common_user,cn=users,cn=accounts,dc=domain,dc=local -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=common_user,cn=users,cn=accounts,dc=domain,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# common_user, users, accounts, domain.local
dn: uid=common_user,cn=users,cn=accounts,dc=domain,dc=local
displayName: utilisateur banal
uid: common_user
krbCanonicalName: common_user@DOMAIN.LOCAL
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
objectClass: ipauserauthtypeclass
loginShell: /bin/bash
initials: ub
gecos: utilisateur banal
sn: banal
homeDirectory: /home/common_user
mail: common_user@domain.local
krbPrincipalName: common_user@DOMAIN.LOCAL
givenName: utilisateur
cn: utilisateur banal
ipaUniqueID: some_unique_ID
uidNumber: theSameNumber
gidNumber: theSameNumber
krbPasswordExpiration: the_pass_exp
krbLastPwdChange: the_pass_exp
memberOf: cn=someusers,cn=groups,cn=accounts,dc=domain,dc=local
memberOf: cn=manyemoreusers,cn=groups,cn=accounts,dc=domain,dc=local
ipaUserAuthType: o_type
ipaSshPubKey: some_pubkey
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Some of the configuration:
/etc/raddb/sites-enabled/default
...
user {
        base_dn = "${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
        sasl {
        }
    }
    group {
        base_dn = 'uid=common_user,cn=users,cn=accounts,dc=domain,dc=local'
        scope = 'sub'
        membership_filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))"
        membership_attribute = 'memberOf'
    }
/etc/raddb/mods-enabled/ldap
...
post-auth {
    update {
        &reply: += &session-state:
    }
    -sql
    exec
    remove_reply_message_if_eap
    Post-Auth-Type REJECT {
        -sql
        attr_filter.access_reject
eap
remove_reply_message_if_eap
    }
    Post-Auth-Type Challenge {
    }
    if (LDAP-Group == "someusers") {
            update  {
                    reply:Class := "OKOKOKOKOK"
        }
    }
    else {
            update  {
                    reply:Class := "NONONONONO"
         }
    }
}
Where to go from here?
Kind regards