Hi Jake, We are useing *memberOf* in filter of "user { }" section in */etc/freeradius/mods-available/ldap* user { base_dn = "${..base_dn}" filter = "(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=${..ldapgroup})))" sasl { } } I suspect FreeIPA have similar attribute for reverse group membership lookups. On Tue, Jun 27, 2017 at 1:36 AM, Jake L. via Freeradius-Users < freeradius-users@lists.freeradius.org> wrote:
Hello - I successfully got our Freeradius server to authenticate against our FreeIPA LDAP environment, allowing user access. Currently, all users in here will be granted successful access. However, I'm having trouble trying to identify what to setup to get only a single group in our FreeIPA environment allowed to authenticate while all other groups are denied. In a nutshell, I want to only allow the "network-team" group authenticated access via the Freeradius server, and any/all other groups to be denied. In my wiki and google searches, I've found reference to "group_authorization", but I can't find that module in the policy.d or mods-available folder. Also, I've seen the reference to huntgroups, but only when queried against SQL, which shouldn't be needed in my case. Can anyone point me in the right direction to get this working? TL;DR = Need info on setting up Freeradius authentication to LDAP only for a specific group, denying all other groups. Thank you!Jake - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- Bogdan Rudas Director of IT offshore Exadel Inc. http://www.exadel.com/ E-mail: brudas@exadel.com Skype ID: bogdan.rudas -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.