(RADIATOR) Problems with Authby LDAP2 and SearchFilter

Mike McCauley mikem at open.com.au
Tue Feb 15 00:44:42 CST 2005 

Hello Jethro,

On Tuesday 15 February 2005 01:56, Jethro R Binks wrote:
> Hello all,
>
> I'm using AuthBy LDAP2 against Active Directory, and authentication works
> fine when using a SearchFilter like so:
>
>     SearchFilter (&(%0=%1)(objectClass=organizationalPerson))
>
> It also works with this:
>
>     SearchFilter (&(%0=%1)(objectClass=organizationalPerson)(memberOf=*))
>
> However if I specify something like:
>
>     SearchFilter
> (&(%0=%1)(objectClass=organizationalPerson)(memberOf=*ITS*))
>
> where "ITS" represents some substring that is present in at least one
> value of memberOf, the LDAP filter doesn't match a user.
>
> This doesn't work either:
>
>     SearchFilter (&(%0=%1)(objectClass=organizationalPerson)(memberOf=CN*))
>
> (values of memberOf being of the form CN=...).
>
> If I have something like:
>
>         AuthAttrDef     memberOf,Class,reply
>
> then the values of LDAP attribute memberOf are correctly transferred to
> multiple Radius Class attributes.
>
> I suspect it is something to do with the fact that memberOf is
> multivalued.  If I use another attribute, it works as expected, including
> with wildcards.  Is there a bug, or am I misunderstanding something?
Im not sure.
At any rate, it looks like an issue to do with how the LDAP server behaves, 
rather than Radiator.
It might be worthwhile to try issuing some of these searches by hand using 
ldapsearch, something like:

ldapsearch -D 'cn=Administrator,dc=open,dc=com,dc=au' -w admin -R -b 
"cn=Users" -h uniform -s sub "(&(name=fred)(objectClass=organizationalPerson)
(memberOf=CN*))" 

When we do that here, I note that doing wildcard matches on memberOf in AD 
doesnt seem to work. It does work if you match the entire memberOf attribute:

ldapsearch -D 'cn=Administrator,cn=Users,dc=open,dc=com,dc=au' -w admin -h 
uniform -b 'dc=open,dc=com,dc=au' -x '(&(name=fred)(memberOf=CN=Domain 
Guests,CN=Users,DC=open,DC=com,DC=au))'

Cheers.



>
>
> Perhaps or perhaps not related, if I have:
>
>         AuthAttrDef     attr,Class,reply
>
> where "attr" is a locally-defined LDAP attribute (that is present on a
> tested object), the value doesn't get added to Class Radius attribute.
> But most native AD ones work.
>
>
> Another observation is that if I don't have any AuthAttrDef at all, Trace
> 4 output gives me a full list of all attributes received (which includes
> the 'attr' mentioned above):
>
> Mon Feb 14 15:50:39 2005: DEBUG: LDAP got result for CN=myuser
> Mon Feb 14 15:50:39 2005: DEBUG: LDAP got memberOf: CN=ITS-...
> Mon Feb 14 15:50:39 2005: DEBUG: LDAP got cn: myuser
> Mon Feb 14 15:50:39 2005: DEBUG: LDAP got department: information
> technology services... ...
>
> whereas having an AuthAttrDef, the same Trace level produces output only
> for the mentioned attribute:
This is common with most LDAP searches: if you dont specify which specific 
attributes you want returned, you get them all.

>
> Mon Feb 14 15:52:24 2005: DEBUG: LDAP got result for CN=myuser
> Mon Feb 14 15:52:24 2005: DEBUG: LDAP got department: information
> technology services
>
>
> My intention, of course, is to limit matches to user accounts that have
> particular values for attributes, in this case membership of a group.
> Perhaps there's a better way to do it.
>
> I am running Radiator-3.11 with patch set as of a couple days ago.
>
> Jethro.
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks
> Computing Officer, IT Services
> University Of Strathclyde, Glasgow, UK
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list