Restricting Access by Group Membership

Dusty Doris freeradius at
Wed Jul 20 22:07:34 CEST 2005

On Wed, 20 Jul 2005 jp at wrote:

> My fault...members of that group are DENIED access.  Now I get.
> So, that leads me to another question.  How do I change the syntax so that users
> are ALLOWED access if they are a member of the specified group?  I tried
> changing the line in the users file to Auth-Type := Allow, but this didn't work.
>  Unfortunately, I can't find anything on this in rlm_ldap or FAQ.
> Thanks in advance,
> Josh

Just think backwards.

DEFAULT Ldap-Group == "cn=remoteusers,o=services"

DEFAULT Auth-Type := Reject
        Reply-Message = "Your account has been disabled"

That will see if you match Ldap-Group, if not, you won't match that line
in the users file so it will try the next line.  The next line rejects

More information about the Freeradius-Users mailing list