LDAP groups and profiles

Chris Taylor Chris.Taylor at corp.eastlink.ca
Mon Feb 4 20:49:16 CET 2013


I have RADIUS running with multiple realms and multiple LDAP back ends that stores all my user attributes. I am trying to apply different user profiles to different groups. What I did was setup the profile in the USERS file, add the group attributes to the ldap config file, and on the user's LDAP account I added the attribute radiusGroupName with the value "residential_profile",  but I can't seem to get it to work correctly. It doesn't seem to query the correct backend. I am sure that I have something wrong but I am not sure what I looked at rlm_ldap and searched the archive list but haven't been able to find anything any help would be appreciated.

This is what my configuration files look like;

USERS

DEFAULT Ldap-Group == residential_profile
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Cisco-AVPair += "ip:inacl#100=permit tcp any x.x.x.x 0.0.0.15 eq 25",
        Cisco-AVPair += "ip:inacl#200=deny tcp any any eq 25",
        Cisco-AVPair += "ip:inacl#300=permit ip any any",
        Fall-Through = No


ldap ldap2.REALM-2.ca {
        basedn = "ou=radius,o=REALM-2.ca,dc=container,dc=ca"
        filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))"

ldap ldap1.REALM-1.ca {

       basedn = "ou=radius,o=REALM-1.ca,dc=container,dc=ca"
        filter = "(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true))"
        groupname_attribute = cn
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
        groupmembership_attribute = radiusGroupName



Output from radius -X

[files] users: Matched entry DEFAULT at line 214
  [ldap2.REALM-2.ca] Entering ldap_groupcmp()
[files]         expand: ou=radius,o=REALM-2.ca,dc=container,dc=ca -> ou=radius,o= REALM-2ca,dc= container,dc=ca
[files]         expand: %{Stripped-User-Name} -> 112boy
[files]         expand: (&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=posixAccount)(cn=true)) -> (&(uid=112boy)(objectclass=posixAccount)(cn=true))
  [ldap2. REALM-2.ca] ldap_get_conn: Checking Id: 0
  [ldap2. REALM-2.ca] ldap_get_conn: Got Id: 0
  [ldap2. REALM-2.ca] attempting LDAP reconnection
  [ldap2. REALM-2.ca] Bind was successful
  [ldap2. REALM-2.ca] performing search in ou=radius,o= REALM-2.ca,dc= container,dc=ca, with filter (&(uid=112boy)(objectclass=posixAccount)(cn=true))
  [ldap2. REALM-2.ca] object not found
rlm_ldap::ldap_groupcmp: search failed
  [ldap2. REALM-2.ca] ldap_release_conn: Release Id: 0


Thanks,

Chris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130204/897bb5a6/attachment-0001.html>


More information about the Freeradius-Users mailing list