This does seem to work differently than I thought.. My model was something like ntlm_auth, which allows an authentication, but one can also require membership in a group at the same time... i.e. ntlm_auth ... --require-membership-of={SID|Name} What I was really hoping is that I could look someone up in the directory in the user tree, but also then require they be in a particular group. The group would actually have a specific replyItem attribute that would return a VLAN if the user was part of the group... There are other ways of accomplishing this .... Thanks, Robert ________________________________________ From: freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org] On Behalf Of Robert Roll [Robert.Roll@utah.edu] Sent: Tuesday, March 22, 2011 11:21 AM To: FreeRadius users mailing list Subject: RE: Group checking in ldap authorization The below is out of the .../share/doc/freeradius/rlm_ldap Note that it shows the Ldap_Group variable being set in the users file, but I'm assuming it should not really matter where it gets set ? DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com" Also, the part about the specific instance Ldap-Group is: Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form <instance_name>-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like ... Note, I do not want to test for Ldap_Group, I want to be able to actually set it so it is used within the ldap module ? Thanks, Robert From .../share/doc/freeradius/rlm_ldap -------------------------------------------------------------------------------------------------------- GROUP SUPPORT: The module supports searching for ldap groups by use of the Ldap-Group attribute. As long as the module has been instanciated it can be used to do group membership checks through other modules. For example in the users file: DEFAULT Ldap-Group == "disabled", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" DNs are also accepted as Ldap-Group values, i.e.: DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" Also if you are using multiple ldap module instances a per instance Ldap-Group attribute is registered and can be used. It is of the form <instance_name>-Ldap-Group. In other words if in radiusd.conf we configure an ldap module instance like: ldap myname { [...] } we can then use the myname-Ldap-Group attribute to match user groups. Make sure though that the ldap module is instantiated *before* the files module so that it will have time to register the corresponding attribute. One solution would be to add the ldap module in the instantiate{} block in radiusd.conf ________________________________________ From: freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu@lists.freeradius.org] On Behalf Of Phil Mayers [p.mayers@imperial.ac.uk] Sent: Tuesday, March 22, 2011 8:46 AM To: freeradius-users@lists.freeradius.org Subject: Re: Group checking in ldap authorization On 22/03/11 14:24, Robert Roll wrote:
Below is what I have in my authorization section. I
update control { ldapADut-Ldap-Group := "cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu" }
ldapADut { notfound = reject }
Where did you get this from? It's totally wrong. Try: if (Ldap-Group == chemVLAN) { } Ldap-Group (or modname-Ldap-Group) is a "virtual" attribute, that will perform the group membership check when you run a comparison. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html