What attribute are you using for group membership? I'm getting reay to do something similar and it strikes me that if memberOF is not in your schema that won't work.
Not with the update block no, but there are other ways in v3.0.x to do it without memberOf
Ok, OP.
I suspect you've messed up and not uncommented
group.cache_attribute
Or got a typo in your config. I got no complaints from the server when I tried, and did not have to add a dictionary entry.
So yes, it works perfectly on my system (thought I don't have the Ruckus attributes, could you send their dictionary over please?)
I am guessing you mean cache_attribute in section group {}, in mods-available/ldap. I uncommented it and set it to "LDAP-Cached-Membership". Besides, I set cacheable_name = "yes" and membership_attribute = "member". And dictionary.ruckus: VENDOR Ruckus 25053 BEGIN-VENDOR Ruckus ATTRIBUTE Ruckus-User-Groups 1 string END-VENDOR Ruckus
Good that you can see debug. We can't though which isn't helpful.
I'm going to guess that you've got attribute filtering on and haven't added that attribute to the attribute white list. I hate to guess though would be better if we were better informed.
alan
About this, I haven't set up attribute filtering (because I don't know where to do it), so if it's on by default, where is the whitelist? I have also changed the foreach line you guys suggested because of a warning in the debug output: I placed a & before Ruckus-User-Groups: Foreach &control:LDAP-Cached-Membership { update reply { &Ruckus-User-Groups += "%{Foreach-Variable-0}" } } And finally, the debug output for a PAP Access-Request of user 'juan', who belongs to group 'profesores': Received Access-Request Id 2 from 192.168.60.1:1024 to 192.168.50.62:1812 length 82 User-Name = 'juan' User-Password = 'juan' NAS-IP-Address = 192.168.60.1 Service-Type = Login-User NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0x412aea7019095474eca935825f5f2c90 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") (0) EXPAND %{tolower:%{User-Name}} (0) --> juan (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (User-Name =~ /\\.$/) (0) if (User-Name =~ /\\.$/) -> FALSE (0) if (User-Name =~ /@\\./) (0) if (User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : No '@' in User-Name = "juan", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop rlm_ldap (ldap): Reserved connection (4) (0) ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap : --> (uid=juan) (0) ldap : EXPAND dc=ejemplo,dc=org (0) ldap : --> dc=ejemplo,dc=org (0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(uid=juan)', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : User object found at DN "uid=juan,ou=usuarios,dc=ejemplo,dc=org" (0) ldap : No cacheable group memberships found in user object (0) ldap : EXPAND (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn})) (0) ldap : --> (&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejempl o\2cdc\3dorg)) (0) ldap : EXPAND dc=ejemplo,dc=org (0) ldap : --> dc=ejemplo,dc=org (0) ldap : Performing search in 'dc=ejemplo,dc=org' with filter '(&(objectClass=groupOfNames)(member=uid\3djuan\2cou\3dusuarios\2cdc\3dejemp lo\2cdc\3dorg))', scope 'sub' (0) ldap : Waiting for search result... (0) ldap : Added control:Ldap-Group with value "profesores" (0) ldap : Processing user attributes (0) ldap : control:Password-With-Header += ''{SSHA}YvCZkmiUfoRuncod2Vm3Bnwr1ueIg3ew'' rlm_ldap (ldap): Released connection (4) (0) [ldap] = ok (0) foreach &control:LDAP-Cached-Membership { (0) } # foreach &control:LDAP-Cached-Membership = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = updated (0) } # authorize = updated (0) Found Auth-Type = PAP (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Auth-Type PAP { (0) pap : Login attempt with password (0) pap : Comparing with "known-good" SSHA-Password (0) pap : Normalizing SSHA1-Password from base64 encoding, 32 bytes -> 24 bytes (0) pap : User authenticated successfully (0) [pap] = ok (0) } # Auth-Type PAP = ok (0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default (0) post-auth { (0) [exec] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (reply:EAP-Message && reply:Reply-Message) (0) if (reply:EAP-Message && reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # post-auth = noop Sending Access-Accept Id 2 from 192.168.50.62:1812 to 192.168.60.1:1024 (0) Finished request