FreeRADIUS 2 to 3.0: Migration experience and nested LDAP groups

Since I migrated a FreeRADIUS 2.x server to 3.0 (finally!) I ran across some syntactical changes that have been in this release branch and sharing a small bit on the experience here on my blog.

Do I have redo my config from scratch?

The good news from my experience: No. If you haven’t totally messed up the default configurations a lot of snippets will still work with quick minor changes. Read twice, enter once and it’s likely going to fly quickly. As the project strongly recommends: You should really NOT reuse your FreeRADIUS 2.x configuration but start with the clean default configuration for v3, then modify them to the desired state. Unfortunately the experience of successfully adding back previous settings one by one I didn’t spot a difference that made my LDAP queries not work as I had expected them.

In FreeRADIUS 2.1.2 modules/ldap had the following default:

ldap {

[...]
   groupmembership_filter = "(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objectClass=top)(uniquemember=%{control:Ldap-UserDn})))"
[...]

In FreeRADIUS 3.0.11 these options are split into into their own group section but the groupmembership_filter was also separated:

    group {
[...]
    #  Filter for group objects, should match all available
    #  group objects a user might be a member of.
    filter = '(objectClass=posixGroup)'

[...]
    #  Filter to find group objects a user is a member of.
    #  That is, group objects with attributes that
    #  identify members (the inverse of membership_attribute).
#   membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"

[...]

Now the filter for to identity group objects is short with filter and the membership_filter contains the query related to filtering the membership.

In my case the LDAP directory is an Active Directory where nested groups are not only allowed but I see them quite frequently used. Unfortunately standard queries won’t reveal nested memberships as this requires a specific query only supported by AD LDAP servers. Thankfully Nasser Heidari blogged how this could be achieved with FreeRADIUS 2 – and since most of my local changes worked readily with FreeRADIUS 3 I didn’t realize this had to be changed in a minor way.

In short in FreeRADIUS 2.x it was

groupmembership_filter = "(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"

In FreeRADIUS 3.0 you want to split this to i.e.

filter = '(objectCategory=group)'
membership_filter = "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"

Not a huge difference but if someone is rubbing his or her eyes during migration, this one seemed to be ok for me.

If you care about not running outdated software that isn’t really receiving much more love by the developers I can only encourage you moving to 3.0. Not only have there been a ton of performance improvements – there are definitely improvements in the configuration syntax I like as well.

January 5, 2016

Posted In: Uncategorized

Tags: , , ,

Leave a Comment