Hi David,

1- I suggest debugging using SBR's logs. Configure LogLevel=2 and TraceLevel=2 in radius.ini plus LogLevel=2 in the [Settings] section of your ldapauth.aut file. Restart required. SBR should then log the attributes that are returned from LDAP in the main server log (YYYYMMDD.log).

2- That "class" attribute that you see in the test results is automatically returned by SBR and is expected to be included in any related accounting requests that follow. This attribute is used by SBR to manage internal resources like IP address assignments and/or user concurrency limits.

3- Also in the ldapauth.aut file, be sure to have the attributes that you care about listed in the attributes list [Attributes/AttrList] referenced in your search section [Search/DoLdapSearch]. Or leave the attr list empty, which signifies "get all attributes for the matching record".

4- And you'll also want to map the LDAP attribute to a radius response attribute in the [Response] section. Whatever radius attribute your Radius client device requires, provided it is in a dictionary file associated with the radius client entry in the GUI.

5- In the case of a multi-valued LDAP attribute, you might find that SBR is only returning one of the values. If you need multiple, you might need to explore the LDAP JavaScript module which can be used to concatenate multiple LDAP values into a single radius attribute.

Hope this helps. If you need more assistance, you might want to reach out to JTAC. Or feel free to post questions here.

Brian

Brian,

I did what you suggested and I must be doing something wrong. I am under the assumption the groups are in LDAP under "objectClass" Below is a piece of my ldapauth.aut file. Does it look correct or no?

[Request]
%UserName = User-Name
%objectclass = class
;%Password = userpassword
;Service-Type =
;%NASName = nameofnas
;%NASAddress =

[Response]
;Filter-Id =
;loginGraceLimit = loginGraceLimit
%Profile =
%objectclass = class
;Session-Timeout =
%FullName = Fullname
;%Password = userpassword

[Search/DoLdapSearch]
Base = ou=Users, ou=Internal, o=MYCO
Scope = 2
Filter = uid=<User-Name>
Attributes = AttrList
Timeout = 20
%DN = dn

[Attributes/AttrList]
;Filter-Id
;Session-Timeout
;thepasswordis
objectClass

- objectClass is probably not the LDAP attribute that contains the group name. See if you can get an LDIF file of a typical user. I'm guessing it's going to be something along the lines of "memberOf" or "groupMembership", etc.

- In the [Response] section, the format should actually be:

[Response]

Radius-Attribute = ldapAttribute

"%" is reserved for SBR-functions like Password and Profile. So for your specific case:

Class = someLdapAttribute

- If your Radius client expects the group name to be in the "class" attribute -- a misappropriation of the attribute that fortunately vendors have been moving away from -- you might eventually need to disable SBR's class attribute in vendor.ini (send-class-attribute=no for your particular Make/Model of Radius client). Otherwise, your device might try to interpret SBR's class as the group name. But there are consequences of doing that, for example, SBR might not be able to manage IP address pools or user concurrency limits properly without its "class" being present in the accounting requests. But perhaps that is not an issue for your environment.

Hope this helps.

Brian

Ok, I figured out the LDAP server does not have the pointers from the user to the groups so I had to do a second search in the OU that contains groups and search for the the username. Now the problem I am having is that not all groups are returned. For example, user JBond is part of MYCOgroup, MYCOadmins, and MYCOall groups. When SBR queries the OU with groups I only get one group returned (MYCOadmins).

How do I get all groups returned? Do I need to use LDAP scripts?

Below is the output of the relevant ldapauth.aut sections and part of the logs.

=========================

[Request]
%UserName = User-Name
;%Password = userpassword
;Service-Type =
;%NASName = nameofnas
;%NASAddress =


[Search/UserName]
Base = ou=Users, ou=Internal, o=MYCO
Scope = 2
Filter = uid=<User-Name>
Attributes = UserAttrList
Timeout = 20
%DN = dn
UserCN = cn
umbAccess = umbAccess
OnFound = Group

[Search/Group]
Base = ou=ApplicationGroups,o=MYCO
Scope = 2
Filter = member=<DN>
Attributes = GroupAttrList
Timeout = 20
LDAPGroups = dn
OnFound = $accept

[Attributes/UserAttrList]
;Filter-Id
;Session-Timeout
;thepasswordis
uid
cn
MYCOgroup

[Attributes/GroupAttrList]
cn
member

[Response]
%Profile = DATASEC
Access-Values = MYCOgroup
User-DN = %DN
Class = LDAPGroups

==========================

log

06/28/2010 16:18:55 LDAPAUTH: Setting variable User-Name = "JBond"
06/28/2010 16:18:55 LDAPAUTH: Bind succeeded for user "JBond", dn = "cn=JBond, ou=Users, ou=Internal, o=MYCO"
06/28/2010 16:18:55 LDAPAUTH: No elements, DoBind returning.
06/28/2010 16:18:55 LDAPAUTH: Performing search; base = ou=Users, ou=Internal, o=MYCO, scope = 2, filter = uid=JBond, attrs = uid,cn,MYCOgroup,loginGraceRemaining,loginGraceLimit
06/28/2010 16:18:55 LDAPAUTH: Search returned loginGraceLimit;loginGraceRemaining;MYCOgroup;cn;uid
06/28/2010 16:18:55 LDAPAUTH: Search returned DN = "cn=JBond,ou=Users,ou=Internal,o=MYCO"
06/28/2010 16:18:55 LDAPAUTH: Setting variable dn = "cn=JBond,ou=Users,ou=Internal,o=MYCO"
06/28/2010 16:18:55 LDAPAUTH: No elements, DoBind returning.
06/28/2010 16:18:55 LDAPAUTH: Performing search; base = ou=ApplicationGroups,o=MYCO, scope = 2, filter = member=cn=JBond,ou=Users,ou=Internal,o=MYCO, attrs = cn,member,loginGraceRemaining,loginGraceLimit
06/28/2010 16:18:55 LDAPAUTH: Search returned member;cn
06/28/2010 16:18:55 LDAPAUTH: Search returned DN = "cn=MYCOadmins,ou=ApplicationGroups,o=MYCO"
06/28/2010 16:18:55 LDAPAUTH: Authentication attempt = 0, user = JBond, server = s1 - Success
06/28/2010 16:18:55 Determined that JBond authenticated by plug-in module is the user
06/28/2010 16:18:55 Getting profile info for requesting user
06/28/2010 16:18:55 Merging saved attributes with user info
06/28/2010 16:18:55 Merging profile info with user info
06/28/2010 16:18:55 Comparing checklist items with user/profile items
06/28/2010 16:18:55 Appending echo values, if any
06/28/2010 16:18:55 User JBond being passed to attribute editing authentication methods
06/28/2010 16:18:55 Class subattribute: DistName : String Value = JBond
06/28/2010 16:18:55 Class subattribute: AuthType : String Value = 200
06/28/2010 16:18:55 Class subattribute: TransactionId : Value =
06/28/2010 16:18:55 000: 34bcb4df 73cb37e8 00000001 |4...s.7..... |
06/28/2010 16:18:55 Sent accept response for user JBond to client SSLVPN

Yes, to be able to reference all of the values instead of just the first one returned you would need some sort of custom JavaScript code and an LDAP JavaScript license. I don't have details on how that would look, but I'd bet professional services could help. You could inquire about that and the license key with your sales rep.

Rgds,

Brian