On Thu, 14 Jul 2005, Shelbyville.Unwired wrote:
I would like to check group membership before authenticating user login requests.
I currently have radiusd.conf setup such that all users can login. However after spending several days reading man pages, and searching these archives I haven't found the key that unlocks my problem.
radiusd.conf
# <snip>
ldap { server = "xx.xx.xx.xx" # ad server address identity = "cn=some_user,cn=users,dc=domain,dc=com" # bind account password = "xxx" # bind account password basedn = "cn=users,dc=domain,dc=com" # base dn filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" # uid start_tls = no # nope dictionary_mapping = ${raddbdir}/ldap.attrmap # default ldap_connections_number = 5 # why not password_attribute = userPassword # no need to explain
# ok this is where things get real fuzzy - I've read rlm_ldap several times...
timeout = 4 timelimit = 3 net_timeout = 1 }
Users file remains untouched.
Specifically what else do I need to if a user is a member of XYZ_group and if so authenticate them.
Any help would be greatly appreciated. TYIA.
You will define where to search for group memberships in that section above. You left out the configs above. Look for groupname_attribute, groupmembership_filter and groupmembership_attribute. Configure those for how you have groups setup. Then in users file you can define to check for group membership. eg: DEFAULT Huntgroup-Name == dial, Ldap-Group == dial DEFAULT Huntgroup-Name == adsl, Ldap-Group == adsl DEFAULT Auth-Type := Reject That says must have dial group if the request comes from a NAS in the dial huntgroup, must have adsl from an adsl nas, otherwise reject.