FR 3.0.1 and LDAP group membership

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue May 20 07:39:04 CEST 2014


On 20 May 2014, at 02:03, Brendan Kearney <bpk678 at gmail.com> wrote:

> i want to authenticate users against my kerberos instance (working now),
> and authorize them based on LDAP group memebership.  i am stuck getting
> authorization working, because i must be missing something fundamental.
> 
> i copied mods-available/ldap to mods-available/ldap.orig and made the
> following edits:
> 
> changed "server" to test.bpk2.com
> changed "identity" and "password" to cn=Manger,dc=my-domain,dc=com, and
> the corresponding password.
> changed "base_dn" to ou=Users,dc=bpk2,dc=com
> commented out control:Password-With-Header	+= 'userPassword' as LDAP
> will not be managing any passwords
> changed filter from objectClass=posixGroup to groupOfNames
> changed membership_filter to be member= and not memberUid= in the second
> OR'd condition
> uncommented filter="(objectclass=radiusprofile)"
> 
> i have created a group in the DIT called netEngineers, added my ID to
> the group, added the radiusprofile object class and added a
> radiusreplyitem of "Cisco-AVPair = "shell:priv-lvl=15"" to the group.

Groups don't return replyItems only profiles do. Groups are only 
used for checking membership, they cannot contain attributes themselves.

Note that your profile attribute could be the same as your group
attribute i.e. memberOf, in which case you'd just need to add the
group objects to the radiusprofile object.

> i have added the radiusprofile object class to my id and added the
> radiusgroupname attribute, and the value "netEngineers" to the
> attribute.

You still have 'attribute' commented out in the profile section.
How will it know which attribute contains profiles?

> when i run radiusd -X and then radtest, i run a packet capture.  the
> capture does not show the radiusreplyitem being replied back.  it seems
> that i am not properly configuring the group checking, but dont know
> where i am going wrong.  where am i going wrong?

You're meant to check for individual groups. They're not meant to be 
container objects for attributes.

Your policy should contain something like

if (LDAP-Group == 'foo') {
	bar
}

If you want to check for specific group memberships, but I don't think
that's what you're trying to do.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140520/4995209c/attachment.pgp>


More information about the Freeradius-Users mailing list