LDAP and FreeRadius Authentication - One user, multiple groups

Mark Litchfield mark at visper.net
Wed Jul 27 01:31:31 CEST 2005 

>> I have freeradius and LDAP authenticating nicely. The problem I am
>> running into is that when I id a user, it only shows the primary group
>> that user is a member of. How can I get FreeRadius to report the other
>> groups that the user belongs to?
>>
>> Mark Litchfield


> Sorry I don't understand.  Can you explain what you mean by "only shows
> the primary group" and "report the other groups".  Report to what?

> Perhaps some radiusd -X output and an explanation of what you are trying
> to do would help.

Using the following tree in LDAP:

dc: treeroot
 |_ou: accounts
 |  |_ou: domain1
 |  |  |_uid: joe
 |  |     mail: joe at domain1
 |  |     uid: 10001
 |  |     gid: 11000
 |  |_ou: domain2
 |     |_uid: joe
 |        mail: joe at domain2
 |        uid: 10002
 |        gid: 11001
 |_ou: groups
    |_cn: group1
    |   uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot
    |   gid: 11000	
    |_cn: group2
    |   uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot
    |   gid: 11001
    |_cn: group3
        uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot
        uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot
        gid: 11002

When I "su" in as joe at domain1 and run "id" from the prompt I get:

joe(10001), group1(11000)

When I should get

joe(10001), group1(11000), group3(11002)

The overall desired effect:

1. System will support multiple domains.
2. Duplicate user names cannot exist within the same domain. (i.e. there can be only one username "joe" per domain, but each domain can have a username "joe".)
3. Users can be members of several groups. Cross-domain group membership may be supported. (joe at domain-1 is a member of group1 and joe at domain-2 is a member of group2. Both of them are members of group3)
4. User / group authorization must be available to the filesystem / OS. I am trying to replace the use of /etc/passwd and /etc/group for filesystem permissions, login , etc.

Please anyone, tell me if I am insane for attempting this, if this is even possible or if there is an opensource alternative that will do all this and work with postfix and apache for user AAA. I would much rather get this to work in LDAP with FreeRadius. 

On a side note, same topic... I have been looking for a way to do nested groups in LDAP with FreeRadius. Is this possible and how?

BTW, I was unable to grab the radiusd -X output. The machine is not availble to me for a few days. Taking a short break before I snap.

Thanks

Mark Litchfield

More information about the Freeradius-Users mailing list