<div>Hi Alan,</div>
<div> </div>
<div>I changed "Group" to "Ldap-Group" in <strong>users</strong> file, however, Freeradius can not find the group name I specify in <strong>users</strong> file. I think the reason is the <strong>basedn
</strong> ("ou=people,dc=richard,dc=com") I set in <strong>radiusd.conf</strong> is for user only, the group is binded with a different <strong>basedn</strong> ("ou=group,dc=richard,dc=com"). So, ldap_groupcmp() can not find the group in the
<strong>basedn</strong> ("ou=people,dc=richard,dc=com"). Since I don't want to authenticate the groupmembership, just want to get the name of the group to which the user is belong, I don't think I need to configure any group authentication for LDAP.
</div>
<div>The result is the user is authenticated, but the <strong>Tunnel-Private-Group-ID</strong> is not assigned in the Access-Accept message because no group name matches.</div>
<div>When I changed it back, it works fine. I am not sure what "Group" represents in Freeradius. I only configured group "1" and group "10" in LDAP. I did test as follow.</div>
<div>I changed name of group "10" to group "20" in LDAP, and keep all other configurations. When the user who was in group "10" before and in group "20" now tried to be authenticated, it is successful except no
<strong>Tunnel-Private-Group-ID </strong>assigned since there is no group "20" in <strong>users</strong> file. So, I assume the "Group" does have something to do with ldap group. </div>
<div>I am using SuSE enterprise server 10 and the OpenLDAP integrated with it. Do you think the groups configured in LDAP has some relationship with the Unix group you mentioned?</div>
<div> </div>
<div>Richard <br><br> </div>
<div><span class="gmail_quote">On 10/31/06, <b class="gmail_sendername">Alan DeKok</b> <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">"Richard" <<a href="mailto:baixin@gmail.com">baixin@gmail.com</a>> wrote:<br>> Right now the situation is the RADIUS can authenticate the user in
<br>> LDAP. But the group attribute does work.<br><br>As I said before, "Group" is for Unix groups. If you want to check<br>LDAP groups, you should use the LDAP-Group attribute.<br><br>Alan DeKok.<br>--<br><a href="http://deployingradius.com">
http://deployingradius.com</a> - The web site of the book<br><a href="http://deployingradius.com/blog/">http://deployingradius.com/blog/</a> - The blog<br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">
http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>