group search filter openLDAP

Phil Mayers p.mayers at imperial.ac.uk
Sat Mar 24 13:05:55 CET 2012


On 03/24/2012 05:51 AM, dhanushka ranasinghe wrote:
> Hi guys,
>
> im using freeradius with LDAP , and its authentication works fine when
> i use following configuration.
>
>         server = "ldap.home.com"
>          identity = "cn=admin,dc=home,dc=com"
>          password = home
>          basedn = "ou=users,dc=home,dc=com"
>          filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>          base_filter = "(objectclass=radiusprofile)"
>          access_attr = "uid"
>          authtype = ldap
>
> but , then i created the LDAP group, and add the members to that,
>
> eg :
>
> dn: cn=people,ou=users,dc=home,dc=com
> objectClass: groupOfNames
> objectClass: top
> cn: wso2
> member: uid=userone,ou=user,dc=home,dc=com
> member: uid=usertwo,ou=user,dc=home,dc=com
>
> , then i change my ldap  config  as follows ,
>
>          server = "ldap.home.com"
>          identity = "cn=admin,dc=home,dc=com"
>          password = home
>          basedn = "cn=people,ou=users,dc=home,dc=com"
>          filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>          base_filter = "(objectclass=radiusprofile)"
>          access_attr = "uid"
>          authtype = ldap
>
> but this method is not working  , radius debug output says, user
> cannot be searched within that group.  ,
>
> is there any particular search method that i need use... ?  , what can
> i do to sort out this problem ?

This is all completely wrong. You have told the LDAP module to search 
for all objects, including users, starting from the DN of the group you 
have created.

Set your LDAP back how it was, then uncomment the 
"groupmembership_filter" and "groupname_attribute" in the "ldap" module 
config, that comes with the server by default. It should just work.


More information about the Freeradius-Users mailing list