Configure authentication via LDAP Group membership issue
David Hobley
david.hobley at mionegroup.com
Tue Oct 23 08:10:51 CEST 2007
I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would also like to
limit access to only those people who are a member of the VPN group.
Normally, this would be simple, but because of the LDAP server I am using,
the hierarchy looks like this:
User Account:
ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(uid=firstname.lastname)"
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...
Group entry is:
ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)"
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...
So I need to somehow configure Radius to search on me, get my uidNumber and
then search on the group. If I skip the searching to get the uidNumber, I
can configure the Radius (for this single account) correctly:
In the ldap module I include:
...
groupname_attribute = cn
groupmembership_filter = "(memberUid=1024)"
with the following entry in the users file:
DEFAULT Auth-Type = LDAP
Fall-Through = 1
DEFAULT LDAP-Group == "VPN Users"
Service-Type = Administrative-User
and this works as expected, but is there any way I can substitute the 1024
for an ldap search result so I can dynamically return the uidNumber for the
%{User-Name} field?
Thanks!
Cheers,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071023/aa1c5cb7/attachment.html>
More information about the Freeradius-Users
mailing list