LDAP group authentication

Jake L. jake_homs at yahoo.com
Tue Jun 27 17:53:05 CEST 2017 

Hi Bogdan,    Thank you for the information. This looks like a good method for us as well. Are you setting up the 'ldapgroup' inside the group section of the ldap module? If so, can you show me the stanza you're using? Thank you!
 

    On Tuesday, June 27, 2017 1:20 AM, Bogdan Rudas via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
 

 Hi Jake,

We are useing *memberOf* in filter of "user {  }" section in
*/etc/freeradius/mods-available/ldap*
        user {
                base_dn = "${..base_dn}"

                filter =
"(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))"

                sasl {
                }
        }

I suspect FreeIPA have similar attribute for reverse group membership
lookups.

On Tue, Jun 27, 2017 at 1:36 AM, Jake L. via Freeradius-Users <
freeradius-users at lists.freeradius.org> wrote:

> Hello - I successfully got our Freeradius server to authenticate against
> our FreeIPA LDAP environment, allowing user access. Currently, all users in
> here will be granted successful access. However, I'm having trouble trying
> to identify what to setup to get only a single group in our FreeIPA
> environment allowed to authenticate while all other groups are denied. In a
> nutshell, I want to only allow the "network-team" group authenticated
> access via the Freeradius server, and any/all other groups to be denied. In
> my wiki and google searches, I've found reference to "group_authorization",
> but I can't find that module in the policy.d or mods-available folder.
> Also, I've seen the reference to huntgroups, but only when queried against
> SQL, which shouldn't be needed in my case. Can anyone point me in the right
> direction to get this working?
> TL;DR = Need info on setting up Freeradius authentication to LDAP only for
> a specific group, denying all other groups.
> Thank you!Jake
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html




-- 
Bogdan Rudas
Director of IT offshore
Exadel Inc.
http://www.exadel.com/
E-mail: brudas at exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list