Unable to pass AD Group membership in Filter-Id Atrtibute - contents shows ARRAY(0x...)

roland.van.wijk · July 20, 2020, 10:14am

Deployed privacyIDEA on Ubuntu 18.04 LTS server in my lab environment. Integrated with AD for user authentication. Trying to pass AD Group membership in the RADIUS Filter-Id attribute, I get (from Wireshark):

Attribute Value Pairs
    AVP: t=Vendor-Specific(26) l=20 vnd=NetKnights GmbH(44929)
    AVP: t=Filter-Id(11) l=23 val=ARRAY(0x7f67e83b9310)
    AVP: t=Reply-Message(18) l=28 val=privacyIDEA access granted
    AVP: t=Proxy-State(33) l=5 val=323130

The JSON returned by the API Call is:

{
“detail”: {
“message”: “matching 1 tokens”,
“otplen”: 6,
“serial”: “OATH0001CD7B”,
“threadid”: 139707855726336,
“type”: “hotp”,
“user”: {
“email”: “george.lucas@arubalab.uk”,
“givenname”: “George”,
“groups”: [
“CN=Star Wars,CN=Users,DC=arubalab,DC=uk”,
“CN=Executive,CN=Users,DC=arubalab,DC=uk”,
“CN=Remote Desktop Users,CN=Builtin,DC=arubalab,DC=uk”
],
“mobile”: “”,
“password”: “”,
“phone”: “”,
“surname”: “Lucas”,
“username”: “george”
}
},
“id”: 1,
“jsonrpc”: “2.0”,
“result”: {
“status”: true,
“value”: true
},

My rlm_perl.ini file contains:

[Mapping]
serial = privacyIDEA-Serial

[Mapping user]
groups = Filter-Id

Any thoughts as to what I am doing wrong?

cornelinux · July 20, 2020, 3:40pm

I think mulivalue attributes are only supported in the [Attribute ...] section, not in the [Mapping ...] section.

roland.van.wijk · July 21, 2020, 2:27pm

That seems to be the case …

I modified the my rlm_perl.ini file to:

[Attribute Filter-Id]
dir = user
userAttribute = groups
regex = CN=(.*)

This now results in three Filter-Id attributes in the RADIUS Access-Accept, one for each value in the “groups” array.

Thanks.