(RADIATOR) Problems with Authby LDAP2 and SearchFilter

Jethro R Binks jethro.binks at strath.ac.uk
Mon Feb 14 09:56:48 CST 2005 

Hello all,

I'm using AuthBy LDAP2 against Active Directory, and authentication works 
fine when using a SearchFilter like so:

    SearchFilter (&(%0=%1)(objectClass=organizationalPerson))

It also works with this:

    SearchFilter (&(%0=%1)(objectClass=organizationalPerson)(memberOf=*))

However if I specify something like:

    SearchFilter (&(%0=%1)(objectClass=organizationalPerson)(memberOf=*ITS*))

where "ITS" represents some substring that is present in at least one 
value of memberOf, the LDAP filter doesn't match a user.

This doesn't work either:

    SearchFilter (&(%0=%1)(objectClass=organizationalPerson)(memberOf=CN*))

(values of memberOf being of the form CN=...).

If I have something like:

        AuthAttrDef     memberOf,Class,reply

then the values of LDAP attribute memberOf are correctly transferred to 
multiple Radius Class attributes.

I suspect it is something to do with the fact that memberOf is 
multivalued.  If I use another attribute, it works as expected, including 
with wildcards.  Is there a bug, or am I misunderstanding something?


Perhaps or perhaps not related, if I have:

        AuthAttrDef     attr,Class,reply

where "attr" is a locally-defined LDAP attribute (that is present on a 
tested object), the value doesn't get added to Class Radius attribute.  
But most native AD ones work.


Another observation is that if I don't have any AuthAttrDef at all, Trace 
4 output gives me a full list of all attributes received (which includes 
the 'attr' mentioned above):

Mon Feb 14 15:50:39 2005: DEBUG: LDAP got result for CN=myuser
Mon Feb 14 15:50:39 2005: DEBUG: LDAP got memberOf: CN=ITS-...
Mon Feb 14 15:50:39 2005: DEBUG: LDAP got cn: myuser
Mon Feb 14 15:50:39 2005: DEBUG: LDAP got department: information technology services...
...

whereas having an AuthAttrDef, the same Trace level produces output only 
for the mentioned attribute:

Mon Feb 14 15:52:24 2005: DEBUG: LDAP got result for CN=myuser
Mon Feb 14 15:52:24 2005: DEBUG: LDAP got department: information technology services


My intention, of course, is to limit matches to user accounts that have 
particular values for attributes, in this case membership of a group.  
Perhaps there's a better way to do it.

I am running Radiator-3.11 with patch set as of a couple days ago.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list