Username in group membership in freeradius LDAP is case sensitive

UCS - Univention Corporate Server
,
#1

All,

we are using freeradius for 802.1x authentication with dynamic VLAN asignment via an LDAP Group.
It works great so far but the group membership cannot be determined when the username is not entered exactly how it’s stored in LDAP e.g. Mustermann = working, mustermann or MUstermann not working.

Any idea how this can be fixed? Is it possible to make this ldap search case insensitive?

Here the LDAP search used in /etc/freeradius/3.0/sites-enabled/default:

    ldap
    # Rewrite username if it is a machine account. The krb5PrincipalName is passed as User-Name in the request in this case.
	if ("%{tolower:%{request:User-Name}}" =~ /^host\/(.*)\.neocube.local/) {

        update request {
            User-Name := "%{1}$"    # The uid attribute in the ldap object is filled with the host name and a trailing dollar sign.
        }
    }

    # Check if the user or machine exists and do post-auth actions
    # else do nothing in post-auth
    # This way we also make sure that we do not change the VLAN ID again if the non-EAP-auth (MAC address auth) succeeded before (see above)
    if ("%{ldap:ldap:///dc=neocube,dc=local?uid?sub?(uid=%{User-Name})}") {

        # For known users as well for known machines we take the vlan-id from the group the user/machine is member of.
        # In case there are assignments for several groups the first vlan-id is automatically taken.
        if ("%{ldap:ldap:///dc=neocube,dc=local?univentionVlanId?sub?(&(memberUid=%{User-Name})(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}") {

            update reply {
                Reply-Message := "DEBUG: Assigning VLAN-ID from user / computer object"
                Tunnel-Type := VLAN
                Tunnel-Medium-Type := IEEE-802
                Tunnel-Private-Group-Id := "%{ldap:ldap:///dc=neocube,dc=local?univentionVlanId?sub?(&(memberUid=%{User-Name})(univentionObjectType=groups/group)(univentionVlanId=*)(univentionNetworkAccess=1))}"


            }
        }
        # If we can't find a matching VLAN ID for the user or machine client in LDAP, we return the default VLAN ID, if configured.
        # If no default vlan-id is configured in ucr we do not return any vlan information
        elsif ("18") {
            update reply {
                Reply-Message := "DEBUG: Not found, assigning default VLAN-ID"
                Tunnel-Type := VLAN
                Tunnel-Medium-Type := IEEE-802
                Tunnel-Private-Group-Id := "18"
            }
        }
    }

We also tried to replace memberUid with uniqueMember in the LDAP search without luck.

Any help with this issue is much appreciated!

#2

Hi neoc,

I’m sure this would cause some security concerns. You are manipulating the request to always fit the right pattern, plus you could collide usernames. This isn’t windows, which is case aware but not case-sensitive :wink:

Opt for one method for naming users (whatever it is going to be), to avoid having Mustermann and mustermann in the same domain.
Alternatively, beat your users with a stick each time they come complaining they can’t sign in. Make them remember their username forever :wink:

Cheers

Mastodon