ads questions and multiple values

liz liz at
Sat Apr 8 09:07:28 CEST 2006

  A few more questions :)

I've now gone through the book ( I feel like such a snob reading it  
on the bus ==)  and have a better understanding of how Freeradius  
works. I have gotten it to search for an attribute in LDAP and return  
it the NAS. What I would like to do is to have it be able to query  
the memberOf attribute in the acrtive directory server and then  
verify if the user is in any of those groups and than permit access  
based on that membership. Heres what im wondering

a) When I query the attribute it returns multiple cn=... results. In  
the debug log I see it setting  this as xxx.xxxx which is understood  
by our nas equipment. It does it four times, But in the reply packet  
I only see it sending one and not four. Am I correct to assume that  
it will only send one of the responses to the Nas.

b) I think I can use the Users file to determine which group the user  
is a member of and then have it send an attribute back to the Nas  
telling it which role to set. Is the the attribute returning multiple  
groups a problem (not multiple attributes, one attribute several bits  
of data  seperated by a delimiter) ?

c) can I strip the leading cn= bit from the response the ldap server  
sends ( I saw an article somewhere about using an operator in the  
LDAP.attrmap file)  and once thats done can it use the groups  
returned in the users file?


More information about the Freeradius-Users mailing list