All,

I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it.

Cheers,
David
----- Original Message -----
From: "David Hobley" <david.hobley@mionegroup.com>
To: freeradius-users@lists.freeradius.org
Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane
Subject: Configure authentication via LDAP Group membership issue

I have set up a VPN pointing to a FreeRadius server and have it
authenticating successfully against my LDAP server, but I would also like to
limit access to only those people who are a member of the VPN group.

Normally, this would be simple, but because of the LDAP server I am using,
the hierarchy looks like this:

User Account:

ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(uid=firstname.lastname)"
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
uidNumber: 1024
...

Group entry is:

ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)"
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
memberUid: 1024
...

So I need to somehow configure Radius to search on me, get my uidNumber and
then search on the group. If I skip the searching to get the uidNumber, I
can configure the Radius (for this single account) correctly:

In the ldap module I include:
                ...
                groupname_attribute = cn
                groupmembership_filter = "(memberUid=1024)"
with the following entry in the users file:

DEFAULT Auth-Type = LDAP
        Fall-Through = 1

DEFAULT LDAP-Group == "VPN Users"
        Service-Type = Administrative-User

and this works as expected, but is there any way I can substitute the 1024
for an ldap search result so I can dynamically return the uidNumber for the
%{User-Name} field?

Thanks!

Cheers,
David