group authorization

Jan-Frode Myklebust janfrode at tanso.net
Fri Mar 28 11:14:43 CET 2014


On Thu, Mar 27, 2014 at 08:07:17PM -0400, Brendan Kearney wrote:
> 
> while your proposed filter does seem to accomplish that, i would like to
> know if a more dynamically formulated string can be put together, to
> create the DN out of concatenated variables.  just a more scalable
> solution. 

So my suggested filter works? I wasn't expecting that.. Guess that
should mean that your Ldap-UserDn is somehow broken. 

> 
> i will point out at this time that "tens of thousands of others" who are
> using FreeRADIUS with LDAP successfully either got lucky and have
> posixGroup groups being matched, figured this out and have not
> sought/provided clarification on the subject, or are not doing what i am
> doing with LDAP.

Count me as one of the lucky ones who's gotten it working with my
posixGroup groups, and who don't fetch avpairs from the groups.

I agree that freeradius definitely doesn't pass the grandma test. 113
files in /etc/raddb seems a but much, so I've been struggeling for a very
long time trying to understand which files needs changes to achive what.
But I guess this also is part of the power of freeradius. A lot of stuff
is implemented, and is tweakable in the modules/ and sites-*/ files.

I'm getting ready to dig into "unlang" myself to try to define a access
regime of groups of NAS'es and groups of people. It looks like it should
be able to do just about anything.



  -jf


More information about the Freeradius-Users mailing list