Hi Louis,
Yes, I'm positive about the groupname. Packetfence.log tells me:
Sep 29 19:45:38 pftest(5073) INFO: [our-ad] Authentication successful
for username (pf::Authentication::Source::LDAPSource::authenticate)
Sep 29 19:45:38 pftest(5073) INFO: [our-ad domain_admins] Found a
match (CN=username,CN=Users,DC=domain,DC=com)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Sep 29 19:45:38 pftest(5073) INFO: [our-ad domain_users] Found a match
(CN=username,CN=Users,DC=domain,DC=com)
(pf::Authentication::Source::LDAPSource::match_in_subclass)
So it matches both, but the one that is ultimately applied is the
domain_users role...
The domain_admins rule is the first rule, domain_users second, just as
you indicate below here.
Ideas?
MJ
On 29-9-2015 19:40, Louis Munro wrote:
Well, the order definitely does matter.
So the rule about the Admins should be before the more general rule.
If you do this from the GUI you should not have to call a configreload.
The logs should tell you which of the authentication rule is matched.
I’m sorry for asking the obvious, but are you quite sure the group DN
is 'CN=Domain Admins,CN=Users,DC=domain,DC=com’ ?
Case matters for instance.
It has to be an exact match.
Post the packetfence.log relevant lines if you want.
That should tell us which source and rule is matched.
Regards,
--
Louis Munro
[email protected] <mailto:[email protected]> :: www.inverse.ca
<http://www.inverse.ca>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>)
and PacketFence (www.packetfence.org <http://www.packetfence.org>)
On Sep 29, 2015, at 13:23 , mourik jan heupink <[email protected]
<mailto:[email protected]>> wrote:
Hi,
For my active directory use source, I have two rules: domain_users and
domain_admins.
However, using bin/pftest authentication I see that even though I am a
domain_admin, my role is set to unu_merit_domain_users.
Here are relevant bits from authentication.conf:
[our-ad]
description=samba4 ad
password=secret
scope=one
binddn=CN=search packetfence,CN=Users,DC=domain,DC=com
basedn=CN=Users,DC=samba,DC=domain,DC=com
usernameattribute=sAMAccountName
connection_timeout=5
stripped_user_name=yes
encryption=none
port=389
type=AD
host=samba.domain.com <http://samba.domain.com>
[our-ad rule domain_users]
description=our domain users
match=all
action0=set_role=domain_users
action1=set_access_duration=365D
[our-ad rule domain_admins]
description=our domain admins
match=
action0=set_unreg_date=2020-01-01
action1=set_access_level=ALL
action2=set_role=domain_admins
condition0=memberOf,equals,CN=Domain Admins,CN=Users,DC=domain,DC=com
So: default rule is domain_user, but in case the user is member of
CN=Domain Admins,CN=Users,DC=domain,DC=com (which I am!) I should get
the domain_admins role.
Changing the order of the rules also does not help.
(or should I restart more than just bin/pfcmd configreload to make it
work?)
This is on packetfence 5.3.1, wheezy, the above source is used both for
inline and 802.1x authentication. (and all works perfectly, just with
the wrong role applied)
MJ
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
