Background:

 

When a user associated with the ssid Guest, the user will authenticate against a FreeRadius server.  If he has a university account, the FreeRadius server will authenticate him via LDAP.  If he does not have a university account, the FreeRadius server will do the authentication with a guest account database.

 

 

Goal:

 

To reduce the chance to do the LDAP search, the LDAP-group search is successful if the user is in the LDAP and no matter which LDAP group he is in.

 

 

My shot and the problem:

 

I am trying to do a wildcard search in LDAP-Group search, but it looks like the wildcard could not work.

 

Related entries in the file users,

 

<omitted>

 

DEFAULT Called-Station-Id =~ ".*Guest", myldap-Ldap-Group == "*", Autz-Type := Ldap1, Auth-Type := Ldap1

 

DEFAULT Called-Station-Id =~ ".*Guest", Group == "guest", Autz-Type := Web, Auth-Type := System

 

<omitted>

 

 

Debug output,

 

<output omitted>

 

rlm_ldap: performing search in ou=people,dc=myuniv,dc=ca, with filter (&(cn=*)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))

 

<output omitted>

 

rlm_ldap::groupcmp: Group * not found or user not a member

rlm_ldap: ldap_release_conn: Release Id: 0

++[files] returns noop

rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

auth: Failed to validate the user.

Login incorrect: [cxu] (from client localhost port 0)

Delaying reject of request 0 for 1 seconds

Going to the next request

Waking up in 0.9 seconds.

Sending delayed reject for request 0

 

Questions:

 

  1. Is there any way to make the wildcard LDAP-group search work?
  2. Whether unlang could be applied here and how?
  3. Any advice?

 

Thanks!

 

Andrew