LDAP and groups

Kenneth Grady klg at lanl.gov
Thu Sep 29 16:11:27 CEST 2005 

   ldapsearch -x cn=my_group
#
# filter: cn=my_group
# requesting: ALL
#

# my_group, group, lanl, gov
dn: cn=my_group,ou=group,dc=lanl,dc=gov
objectClass: groupOfNames
cn: my_group
member: employeeNumber=0067,ou=people,dc=lanl,dc=gov
member: employeeNumber=0068,ou=people,dc=lanl,dc=gov
...
----------------------------------
radiusd.conf (file)
...modules
	ldap My-group_Users {
                server = "ldap"
                net_timeout = 1
                timeout = 3
                timelimit = 4
                ldap_connections_number = 5
                basedn = "dc=lanl,dc=gov"
                #access_attr = "employeeNumber"
                filter =
"(&(cn=my-group)(member=employeeNumber=%{Stripped-User-Name:-%{User-Name}},ou=people,dc=lanl,dc=gov))"
                start_tls = no
                groupname_attribute = cn
                groupmembership_filter = ""
                groupmembership_attribute = my_group
                dictionary_mapping = ${raddbdir}/ldap.attrmap
                compare_check_items = yes
                access_attr_used_for_allow = yes
	}
... authorize
        Autz-Type MY-GROUP {
                redundant {
                        My-group_Users
                        notfound = reject
                }
        }
----------------------------------
users (file)
...
DEFAULT	NAS-IP-Address =~ "^123.123", Autz-Type := MY-GROUP

There's probably a better way, but this worked for what I wanted.




On Thu, 2005-09-29 at 03:10, Jean-Francois Gobin wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hello there,
> 
> I have a small problem. And I read the documentation. And I can't find 
> what's wrong.
> 
> I have a corporate LDAP with users and group.
> 
> Each group is a "groupOfUniqueNames", with "uniquemember".
> In the user defintion, no group definition is set.
> 
> I need to authenticate members of a certain groups, and not of another ...
> 
> Every doc I read mention that you have to create an attribute "per user" 
> ...
> 
> Any other way ?
> 
> Regards,
> Jean-Francois Gobin
> 
> - ----------
> Jean-Francois Gobin - Administrateur gobinjf.be
> http://www.gobinjf.be   mailto:gobin at gobinjf.be
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
> Comment: Made with pgp4pine 1.76
> 
> iD8DBQFDO6+pkkg3QInH2uURAkoTAJ9CiiYoljx0B2zP/tInkSG4TwiwIgCbBWft
> g16kNx6wUzO1va189DJmHRA=
> =kTQn
> -----END PGP SIGNATURE-----
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list