Well, the order definitely does matter. So the rule about the Admins should be before the more general rule.
If you do this from the GUI you should not have to call a configreload. The logs should tell you which of the authentication rule is matched. I’m sorry for asking the obvious, but are you quite sure the group DN is 'CN=Domain Admins,CN=Users,DC=domain,DC=com’ ? Case matters for instance. It has to be an exact match. Post the packetfence.log relevant lines if you want. That should tell us which source and rule is matched. Regards, -- Louis Munro [email protected] :: www.inverse.ca +1.514.447.4918 x125 :: +1 (866) 353-6153 x125 Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) On Sep 29, 2015, at 13:23 , mourik jan heupink <[email protected]> wrote: > Hi, > > For my active directory use source, I have two rules: domain_users and > domain_admins. > > However, using bin/pftest authentication I see that even though I am a > domain_admin, my role is set to unu_merit_domain_users. > > Here are relevant bits from authentication.conf: > >> [our-ad] >> description=samba4 ad >> password=secret >> scope=one >> binddn=CN=search packetfence,CN=Users,DC=domain,DC=com >> basedn=CN=Users,DC=samba,DC=domain,DC=com >> usernameattribute=sAMAccountName >> connection_timeout=5 >> stripped_user_name=yes >> encryption=none >> port=389 >> type=AD >> host=samba.domain.com >> >> [our-ad rule domain_users] >> description=our domain users >> match=all >> action0=set_role=domain_users >> action1=set_access_duration=365D >> >> [our-ad rule domain_admins] >> description=our domain admins >> match= >> action0=set_unreg_date=2020-01-01 >> action1=set_access_level=ALL >> action2=set_role=domain_admins >> condition0=memberOf,equals,CN=Domain Admins,CN=Users,DC=domain,DC=com >> > > So: default rule is domain_user, but in case the user is member of > CN=Domain Admins,CN=Users,DC=domain,DC=com (which I am!) I should get > the domain_admins role. > > Changing the order of the rules also does not help. > > (or should I restart more than just bin/pfcmd configreload to make it > work?) > > This is on packetfence 5.3.1, wheezy, the above source is used both for > inline and 802.1x authentication. (and all works perfectly, just with > the wrong role applied) > > MJ > > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
