How to configure USERS file to assign the VLAN ID according toLDAP group name?

richard Bai baixin at gmail.com
Wed Nov 1 19:38:38 CET 2006 

Hi Alan,

I changed "Group" to "Ldap-Group" in *users* file, however, Freeradius can
not find the group name I specify in *users* file. I think the reason is the
*basedn* ("ou=people,dc=richard,dc=com") I set in *radiusd.conf* is for user
only, the group is binded with a different
*basedn*("ou=group,dc=richard,dc=com"). So, ldap_groupcmp() can not
find the group
in the *basedn* ("ou=people,dc=richard,dc=com"). Since I don't want to
authenticate the groupmembership, just want to get the name of the
group to which the user is belong, I don't think I need to configure any
group authentication for LDAP.
The result is the user is authenticated, but the
*Tunnel-Private-Group-ID*is not assigned in the Access-Accept message
because no group name matches.
When I changed it back, it works fine. I am not sure what "Group" represents
in Freeradius. I only configured group "1" and group "10" in LDAP. I did
test as follow.
I changed name of group "10" to group "20" in LDAP, and keep all other
configurations. When the user who was in group "10" before and in group "20"
now tried to be authenticated, it is successful except no
*Tunnel-Private-Group-ID
*assigned since there is no group "20" in *users* file. So, I assume the
"Group" does have something to do with ldap group.
I am using SuSE enterprise server 10 and the OpenLDAP integrated with it. Do
you think the groups configured in LDAP has some relationship with the Unix
group you mentioned?

Richard


On 10/31/06, Alan DeKok <aland at deployingradius.com> wrote:
>
> "Richard" <baixin at gmail.com> wrote:
> > Right now the situation is the RADIUS can authenticate the user in
> > LDAP. But the group attribute does work.
>
> As I said before, "Group" is for Unix groups.  If you want to check
> LDAP groups, you should use the LDAP-Group attribute.
>
> Alan DeKok.
> --
> http://deployingradius.com       - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061101/3217b97c/attachment.html>

More information about the Freeradius-Users mailing list