________________________________ From: freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.or g [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freer adius.org] On Behalf Of Hangjun He Sent: Wednesday, 19 December 2007 19:32 To: FreeRadius users mailing list Subject: RE: Can I get group-name from Active-directory? [sec=unclassified] I add group parameters in rlm_ldap section. Seems freeradius not do group search. groupname_attribute = memberOf groupmembership_filter = "(cn=%{Stripped-User-Name:-%{User-Name}})" Anything else I need to configure in radiusd.conf? Yes, you need 'files' enabled in authorize section, then in raddb/users to need to set check rules against your groups # Keep managers out of technical things DEFAULT Ldap-Group == "Managers", Auth-Type := Reject # network operations members have admin access to entire network, see ldap for access details # DEFAULT Ldap-Group == "netops", User-Profile:='cn=netops,ou=profiles,dc=demo,dc=com' # Regular users can access network systems by being in the appropriate ldap group # DEFAULT Ldap-Group == `%{Huntgroup-Name}` Access-Level := RW, Service-Type = Administrative-User, Cisco-AVPair := "shell:priv-lvl=15" Try and keep your rules to a minimum as each Ldap-Group line generates an ldap search. The rule most likely to succeed should be tried earlier. The technique above is efficient because huntgroup/usergroup only needs one test. Otherwise you would need to do: DEFAULT Huntgroup-Name == 'sales', Ldap-Group == 'sales' ... DEFAULT Huntgroup-Name == 'marketing', Ldap-Group == 'marketing' ... Anyway, the answer is the ldap group lookups don't happen until you ask for it, and you ask for it in 'users' by comparing Ldap-Group with something. Regards, Frank Ranner