LDAP Groups

Peter Lambrechtsen plambrechtsen at gmail.com
Tue Nov 2 03:01:14 CET 2010 

Have a read through these posts.

http://lists.freeradius.org/pipermail/freeradius-users/2010-October/msg00058.html

On Tue, Nov 2, 2010 at 2:10 PM, Hugh Blandford <hugh at island.net.au> wrote:

> Dear All,
>
> I have been experimenting with using FreeRADIUS and LDAP, trying to get
> some understanding of how groups are handled.
>
> I have left things in the configuration files mostly as standard, except
> uncommenting the LDAP sections but am obviously not understanding how things
> are supposed to work.
>
> I can place an LDAP group name in the users file and then have my LDAP user
> checked against it and return the relevant attributes.
>
> eg   (following someone's helpful example)
>
> DEFAULT        Ldap-Group == flat10000, User-Profile :=
> "uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org"
>                       Fall-Through = yes
>
> DEFAULT        Ldap-Group == disabled, Auth-Type := Reject
>                      Reply-Message = "Account disabled.  Please call the
> helpdesk.",
>                      Fall-Through = no
>
> However, I was hoping to not use the users file.  I was hoping that:
>
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> groupmembership_attribute = radiusGroupName
>
> would mean you could add the attribute radiusGroupName to a user's entry
> and it would then look up the relevant GroupofNames and add those attributes
> to the return items.  However, when I add radiusGroupName to a user's entry
> I don't see any groupname lookups in the debug at all.
>
> Sorry if I have failed to understand something basic.
>
> What I actually want to do is might not be solved best by LDAP groups.
>  Most of our customers are in different VRFs and this, the loopback address
> and DNS servers etc are returned.  Rather than store this information under
> each user I would like to have template that I refer to.  However, at the
> same time, having 50+ default entries didn't seem the right way to do it
> either.
>
> Thanks for your patience.
>
> Hugh Blandford
>
> --
> Hugh Blandford
> Island Internet
> ph 1300 130 428
> mb 0412 016 875
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101102/a705f139/attachment.html>

More information about the Freeradius-Users mailing list