Univention Bugzilla – Bug 57373
radius ldap filter needs uid from ipmanaged clients
Last modified: 2024-06-25 13:23:59 CEST
https://forge.univention.org/bugzilla/show_bug.cgi?id=56060 https://forge.univention.org/bugzilla/show_bug.cgi?id=57069 Related to this bugs we found another issue because UDM object computer/windows works, but UDM object computer/ipmanagedclient did not work. We receive the following message by a ipmanagedclient: Mon May 13 13:00:03 2024 : Auth: (302) Login incorrect (eap_md5: Cleartext-Password is required for EAP-MD5 authentication): [000000000000/<via Auth-Type = CSID>] (from client unifi-switch118 port 32 cli 00:00:00:00:00:00) config /etc/freeradius/3.0/sites-available/default: if (control:Auth-Type == "CSID" && EAP-Message ) { 382 if ("%{ldap:ldap:///dc=example,dc=intranet?uid?sub?(macAddress=%{Calling-Station-Id})}") { 383 update request { 384 Tmp-String-0 := "%{ldap:ldap:///dc=example,dc=intranet?uid?sub?(macAddress=%{Calling-Station-Id})}" # The uid attribute in the ldap object is filled with the host n 384 ame and a trailing dollar sign. 385 } 386 if ("%{ldap:ldap:///dc=example,dc=intranet?univentionNetworkAccess?sub?(|(&(|(memberUid=%{Tmp-String-0})(macAddress=%{Calling-Station-Id}))(univentionObjectType=groups/gro 386 up)(univentionNetworkAccess=1))(&(uid=%{Tmp-String-0})(> 387 update control { 388 Cleartext-Password := "%{User-Name}" 389 } 390 } Assumption: In addition to univentionworkAccess, the ldap filter also requires the uid. But they don't exist on ipmanaged clients. Could you confirm this? It would make sense to implement the radius functionality for all computer objects. The customer has about 800 ipmanaged clients that require radius access.