LDAP Groups to Freeradius and then Ruckus Wireless?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed May 28 13:17:43 CEST 2014 

On 28 May 2014, at 12:09, Enrique Sainz Baixauli <enriquesainz.beca at intef.educacion.es> wrote:

>>> Hi again,
>>> 
>>> So I'm now working with version 3.0.3 and I have moved all of my 
>>> configs to the new format. I can do, as I did on v2.1.2, group 
>>> checking in users file via the Ldap-Group virtual attribute. That's fine,
> but it's not what I need.
>>> I need the group info to be forwarded to the client, and I'm trying to 
>>> do so in mods-available/ldap (symlinked to mods-enabled/). As there is 
>>> no ldap.attrmap file and the update section in mods-available/ldap 
>>> seems to be for that purpose, I'm mapping attributes there:
>>> 
>>> reply:Ruckus-User-Groups	:= 'control:memberOf'
>>> 
>>> Ruckus-User-Groups is defined in a dictionary file for vendor Ruckus. 
>>> But any kind of attribute that I think may fit there I have already 
>>> tried (memberOf, Ldap-Group, Ldap-Membership...), and no matter what I 
>>> try I see a line like this in the debug output:
>>> 
>>> ldap :  Attribute 'control:memberOf' not found in LDAP Object
>> 
>> *sigh* why could you add control: to the start of memberOf attribute? LDAP
> has no idea what lists are.
>> 
>> Use:
>> 
>> update {
>> 	reply:Ruckus-User-Group += 'memberOf'
>> }
>> 
>> Add that and it should work, if it doesn't work post the debug output.
> 
> I guess I didn't explain myself enough: I tried with and without control:, I
> just posted that option because it was the last one I tried (not really very
> confident about getting it to work that way). The only difference between
> your line and the ones I tried before is that you used += and I used :=
> (which I think should be correct, because that's the only attribute that
> should go into Ruckus-User-Group, but I may be wrong again). So now, with
> your line I get quite similar debug output:
> 
> ldap :  Attribute 'memberOf' not found in LDAP Object

Then your user object contains no memberOf attributes, or your LDAP ACLs are
incorrect and preventing the memberOf attributes of user objects from being
accessed.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140528/0e2348bf/attachment-0001.pgp>

More information about the Freeradius-Users mailing list