Group Authorization Question

Mike Diggins mike.diggins at mcmaster.ca
Thu Jan 1 20:03:47 CET 2009


On Thu, 1 Jan 2009, tnt at kalik.net wrote:

>> I made a little progress since my last email. I discovered how to return a
>> group name in the Reply-Message attribute, and then parse that on my
>> appliance. I'm wondering though, if I have users with multiple group
>> membership, should I create a string of group names such as
>> "group1,group2, group3" for each user, and return that as the
>> Reply-Message? Is that a sensible way to do it, or is there a better way?
>>
>
> You can also return multiple attributes (with different values) using +=
> operator.

Thanks. I'll try that as well.

On a related note, should the rlm_dbm_parse program be able to convert the 
users file (assuming it is the correct syntax) directly? It complains 
about the ntlm_auth type.

[root at dradius1 rlm_dbm]# ./rlm_dbm_parser -c -i users -o userdb
/usr/local/src/freeradius-server-2.1.1/src/modules/rlm_dbm/.libs/lt-rlm_dbm_parser: 
users[50]: syntax error
Error: Unknown value ntlm_auth for attribute Auth-Type

Record loaded: 0
Lines parsed: 50
Record skiped: 0
Warnings: 0
Errors: 1

My users file contains:

[root at dradius1 rlm_dbm]# cat users | grep -v "^#"


diggins         Auth-Type := ntlm_auth
                 Reply-Message =  "Group=Staff",
                 Reply-Message +=  "Group=Network"

DEFAULT         Auth-Type := ntlm_auth


DEFAULT Framed-Protocol == PPP
         Framed-Protocol = PPP,
         Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
         Framed-Protocol = SLIP,
         Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
         Framed-Protocol = SLIP


-Mike



More information about the Freeradius-Users mailing list