Group Authorization Question

Mike Diggins mike.diggins at
Thu Jan 1 20:03:47 CET 2009

On Thu, 1 Jan 2009, tnt at wrote:

>> I made a little progress since my last email. I discovered how to return a
>> group name in the Reply-Message attribute, and then parse that on my
>> appliance. I'm wondering though, if I have users with multiple group
>> membership, should I create a string of group names such as
>> "group1,group2, group3" for each user, and return that as the
>> Reply-Message? Is that a sensible way to do it, or is there a better way?
> You can also return multiple attributes (with different values) using +=
> operator.

Thanks. I'll try that as well.

On a related note, should the rlm_dbm_parse program be able to convert the 
users file (assuming it is the correct syntax) directly? It complains 
about the ntlm_auth type.

[root at dradius1 rlm_dbm]# ./rlm_dbm_parser -c -i users -o userdb
users[50]: syntax error
Error: Unknown value ntlm_auth for attribute Auth-Type

Record loaded: 0
Lines parsed: 50
Record skiped: 0
Warnings: 0
Errors: 1

My users file contains:

[root at dradius1 rlm_dbm]# cat users | grep -v "^#"

diggins         Auth-Type := ntlm_auth
                 Reply-Message =  "Group=Staff",
                 Reply-Message +=  "Group=Network"

DEFAULT         Auth-Type := ntlm_auth

DEFAULT Framed-Protocol == PPP
         Framed-Protocol = PPP,
         Framed-Compression = Van-Jacobson-TCP-IP

         Framed-Protocol = SLIP,
         Framed-Compression = Van-Jacobson-TCP-IP

         Framed-Protocol = SLIP


More information about the Freeradius-Users mailing list