ldap group filter
Phil Mayers
p.mayers at imperial.ac.uk
Sun May 8 12:28:31 CEST 2011
On 05/08/2011 10:32 AM, crzrobot wrote:
> Sry for the double posting.
> Hi,
> Recently I implemented an radius authentication using the ldap module.
> Next step is do control the users by groups and I want to ask how could i
> setup the group filter if i have this kind of configuration for the groups
> on the LDAP servers. I tried to google it but no luck with useful results.
> The user authentication is done by uid.
>
> Thank You for your help
>
> dn: cn=group1, ou=group,dc=home,dc=net
> objectclass: groupOfUniqueNames
> gidNumber: 30000
> cn: group1
> uniquemember: uidNumber=30001, ou=people,dc=home,dc=net
> uniquemember: uidNumber=30002, ou=people,dc=home,dc=net
> uniquemember: uidNumber=30003, ou=people,dc=home,dc=net
>
It's been a long time, but I think this is invalid LDAP data. The
uniquemember value should be a valid DN.
You probably could make this work in FreeRADIUS, but you should fix your
LDAP schema.
You'll need to do the following:
1. Define a local "uid" attribute in raddb/dictionary e.g.
ATTRIBUTE Ldap-UID 3000 integer
2. Define a mapping in ldap.attrmap from LDAP to radius for the uid e.g
checkItem Ldap-UID uidNumber
3. Update your group query e.g.
groupmembership_filter = \
"(uniquemember=uidNumber=%{control:Ldap-UID},ou=people,dc=home,dc=net}
...but it's hacky and nasty - what if the path after the RDN varies? Fix
your LDAP schema to be right and this will just work
More information about the Freeradius-Users
mailing list