Environment
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)
NetIQ eDirectory
NetIQ eDirectory
Situation
After configuring group membership checking with FreeRadius, this fails with the following messages visible in the FreeRadius log file;
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group group_name not found or user is not
a member.
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group group_name not found or user is not
a member.
Resolution
Change the default "groupmembership_filter" in the "/etc/raddb/modules/ldap" modules file to the following;
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
Cause
The default filter included with FreeRadius is incorrect, resulting in the "member" and "uniquemember" fields for the search being blank. The default filter looks as follows;
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
The above results in the following incorrect LDAP search to be performed;
rlm_ldap: performing search in o=ldap_context, with filter
(&(cn=ldap_group)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(un
iquemember=))))
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
The above results in the following incorrect LDAP search to be performed;
rlm_ldap: performing search in o=ldap_context, with filter
(&(cn=ldap_group)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(un
iquemember=))))