This is how I have done it:

http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html

Works a treat for me.

On Wed, Aug 4, 2010 at 11:27 AM, Cory Johnson <cjohnson@commspeed.net> wrote:
Greetings,

I am running FreeRADIUS 2.1.8 on Ubuntu 8.04, attempting to use the ldap module. I only want to authenticate users in a certain group. These groups exist in LDAP as a "posixGroup" with a "memberUID" list. As I have it configured currently, I get an "Access-Accept" for any user in the directory.

The ldap module is configured as such:

ldap {
   server = "192.168.1.99"
   identity = "cn=admin,dc=corp,dc=example,dc=com"
   password = s3cret
   basedn = "dc=corp,dc=example,dc=com"
   filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

   ldap_connections_number = 5

   timeout = 4

   timelimit = 3

   net_timeout = 1

   tls {
       start_tls = no
   }

   dictionary_mapping = ${confdir}/ldap.attrmap

   edir_account_policy_check = no

   groupname_attribute = cn
   groupmembership_attribute = NOC
   groupmembership_filter = (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))

}

I've also seen recomendations to add something like this to the users file:
DEFAULT LDAP-Group == NOC
       Service-Type = Administrative-User

Now I can see the service-type displayed when I do a radtest using the username/password of users in the "NOC" group, but I still see an "Access-Accept" for users who are not in the group.

How can I make the server reject users that aren't in the NOC group? Any hints would be fantastic.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html