I've been playing around with this all day and I'm stumped. Does anyone have a config for ANY version of FreeRadius that works with LDAP groups? On Tue, Sep 8, 2009 at 11:17 PM, Michael March wrote:
The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm trying to get authentication working so FreeRadius will authenticate a user OLNY if they are in a certain LDAP group.. In this case that group is called 'it'.
Where I am at now is if the user is in or out of the 'it' group the authentication goes through ok (depending if the password is correct, of course). I would like the authenication to fail if the password is correct BUT the user is not in a certain ('it') group.
Here are my configs snippets:
========= /etc/raddb/users ===========
DEFAULT Auth-Type = LDAP Fall-Through = 1
DEFAULT LDAP-Group == it Service-Type = Administrative-User
========= /etc/raddb/radiusd.conf ===========
ldap { server = "192.168.150.140" identity = "uid=admin,ou=People,dc=acme,dc=com" password = "BadPass" basedn = "dc=acme,dc=com" filter = "(uid=%u)" # base_filter = "(objectclass=radiusprofile)"
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = uid
# Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))" groupmembership_attribute = it timeout = 4 timelimit = 3 net_timeout = 1 compare_check_items = yes # do_xlat = yes access_attr_used_for_allow = yes }