
<div>I add group parameters in rlm_ldap section. Seems freeradius not do group search. </div>  <div>        groupname_attribute = memberOf<BR>        groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"</div>  <div> </div>  <div>Anything else I need to configure in radiusd.conf?</div>  <div> </div>  <div>Waking up in 4 seconds...<BR>rad_recv: Access-Request packet from host 10.155.20.84:1107, id=76, length=207<BR>        User-Name = "hhe"<BR>        NAS-IP-Address = 10.155.20.84<BR>        NAS-Identifier = "AH-000030"<BR>        NAS-Port = 0<BR>        Called-Station-Id = "00-19-77-00-00-34:hhe"<BR>        Calling-Station-Id =

 "00-19-E0-80-A5-5A"<BR>        Framed-MTU = 1500<BR>        NAS-Port-Type = Wireless-802.11<BR>        Connect-Info = "CONNECT 11Mbps 802.11b"<BR>        EAP-Message = 0x0209002b1900170301002040c3edccfa02df3abe7e25e10b19562d21e7cb9ae131741e2072d61ea88ada83<BR>        State = 0xaa50cdb6191621d7112990ba865f4031<BR>        Message-Authenticator = 0xb16d6265031bcb1157450cdbef3d80b4<BR>  Processing the authorize section of radiusd.conf<BR>modcall: entering group authorize for request 9<BR>  modcall[authorize]: module "preprocess" returns ok for request 9<BR>  modcall[authorize]: module "mschap" returns noop for request 9<BR>    rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "hhe", looking up realm NULL<BR>   

 rlm_realm: Found realm "NULL"<BR>    rlm_realm: Proxying request from user hhe to realm NULL<BR>    rlm_realm: Adding Realm = "NULL"<BR>    rlm_realm: Authentication realm is LOCAL.<BR>  modcall[authorize]: module "suffix" returns noop for request 9<BR>  rlm_eap: EAP packet type response id 9 length 43<BR>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR>  modcall[authorize]: module "eap" returns updated for request 9<BR>rlm_ldap: - authorize<BR>rlm_ldap: performing user authorization for hhe<BR>radius_xlat:  '(sAMAccountName=hhe)'<BR>radius_xlat:  'cn=users,dc=aerohive, dc=com'<BR>rlm_ldap: ldap_get_conn: Checking Id: 0<BR>rlm_ldap: ldap_get_conn: Got Id: 0<BR>rlm_ldap: performing search in cn=users,dc=aerohive, dc=com, with filter (sAMAccountName=hhe)<BR>rlm_ldap: looking for check items in directory...<BR>rlm_ldap: looking for reply items in directory...<BR>rlm_ldap: user hhe

 authorized to use remote access<BR>rlm_ldap: ldap_release_conn: Release Id: 0<BR>  modcall[authorize]: module "ldap" returns ok for request 9<BR>modcall: leaving group authorize (returns updated) for request 9<BR>  rad_check_password:  Found Auth-Type EAP<BR>auth: type "EAP"<BR>  Processing the authenticate section of radiusd.conf<BR>modcall: entering group authenticate for request 9<BR>  rlm_eap: Request found, released from the list<BR>  rlm_eap: EAP/peap<BR>  rlm_eap: processing type peap<BR>  rlm_eap_peap: Authenticate<BR>  rlm_eap_tls: processing TLS<BR>  eaptls_verify returned 7<BR>  rlm_eap_tls: Done initial handshake<BR>  eaptls_process returned 7<BR>  rlm_eap_peap: EAPTLS_OK<BR>  rlm_eap_peap: Session established.  Decoding tunneled attributes.<BR>  rlm_eap_peap: Received EAP-TLV response.<BR>  rlm_eap_peap: Tunneled data is valid.<BR>  rlm_eap_peap: Success<BR> 

 rlm_eap: Freeing handler<BR>  modcall[authenticate]: module "eap" returns ok for request 9<BR>modcall: leaving group authenticate (returns ok) for request 9<BR>Sending Access-Accept of id 76 to 10.155.20.84 port 1107<BR>        MS-MPPE-Recv-Key = 0x03ee0b3dcbfc176840b2fd59f80ea717e985f078073c8aec6443244ff871091d<BR>        MS-MPPE-Send-Key = 0x55a504ccb0cb76ee9bda1bd4e5ec48cf4c27fe94c9e086bc990ed0f0f1650f92<BR>        EAP-Message = 0x03090004<BR>        Message-Authenticator = 0x00000000000000000000000000000000<BR>        User-Name = "hhe"<BR>Finished request 9</div>  <div> </div>  <div><BR><BR><B><I>"Ranner, Frank MR" <Frank.Ranner@defence.gov.au></I></B> 写道：</div>  <BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px

 solid">From:<BR>freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or<BR>g<BR>[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer<BR>adius.org] On Behalf Of Hangjun He<BR>Sent: Monday, 17 December 2007 18:32<BR>To: FreeRadius users mailing list<BR>Subject: Can I get group-name from Active-directory?<BR><BR><BR><BR>FreeRADIUS 1.1.6 + samba-tools + active-directory.<BR>Can I get user's group-name by rlm_ldap? How?<BR><BR><BR>Following is result of ldap-search.(Using ldap client)<BR># Paul Le, Users, test.com<BR>dn: CN=Paul Le,CN=Users,DC=test,DC=com<BR>objectClass: top<BR>objectClass: person<BR>objectClass: organizationalPerson<BR>objectClass: user<BR>cn: Paul Le<BR>sn: Levasseur<BR>distinguishedName: CN=Paul Le,CN=Users,DC=test,DC=com<BR>instanceType: 4<BR>whenCreated: 20061118204047.0Z<BR>whenChanged: 20061120041505.0Z<BR>displayName: Paul Levasseur<BR>uSNCreated: 53309<BR>memberOf:

 CN=WirelessUsers,CN=Users,DC=test,DC=com<BR>uSNChanged: 61454<BR>name: Paul Levasseur<BR>objectGUID:: TWcfmIP0S0KptrqNYMartA==<BR><BR><BR>In radiusd.conf set the ldap group parameters:<BR><BR>groupname_attribute = memberOf<BR>groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"<BR><BR>If you prefer you can use sAMAccountName instead of cn, or even both:<BR><BR>groupmembership_filter =<BR>"(|(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(cn=%{Stripped-Us<BR>er-Name:-%{User-Name}}))"<BR><BR>Regards,<BR>Frank Ranner<BR><BR>-<BR>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<BR></BLOCKQUOTE><BR><p> 


      <hr size=1><a href="http://cn.mail.yahoo.com/gc/index.html?entry=5&souce=mail_mailletter_tagline">雅虎邮箱传递新年祝福，个性贺卡送亲朋！</a> <p> 


      <hr size=1><a href="http://cn.mail.yahoo.com/gc/index.html?entry=5&souce=mail_mailletter_tagline">雅虎邮箱传递新年祝福，个性贺卡送亲朋！</a>