groupmembership_filter for LDAP module [sec: unclas]
Ranner, Frank MR
Frank.Ranner at defence.gov.au
Tue Aug 22 09:47:22 CEST 2006
-----Original Message-----
From:
freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freeradius.or
g
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freer
adius.org] On Behalf Of Alexei Monastyrnyi
Sent: Tuesday, 22 August 2006 07:12
To: FreeRadius users mailing list
Subject: groupmembership_filter for LDAP module
Hi List.
I am trying to enable group filter to allow only certain LDAP users to
be able to login to my VPN hub.
I run FreeRADIUS 1.0.2 on SPARC Solaris 9
All users are in group
cn=vpnusers,ou=group,dc=mydomain,dc=com
listed as "memberUid"s
In radiusd.conf I have the following
filter =
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"
groupmembership_filter =
(&(&(cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Nam
e:-%{User-Name}}))
groupmembership_attribute = "vpnusers"
It doesn't seem to work, no sign of searching for "vpnusers" in LDAP
server logs and users that are not in this group are still able to log
in.
I may be missing something... Hints of where to look would be highly
appreciated.
Cheers,
A.
Reply:
1. You need to have an LDAP-Group check item in users:
DEFAULT LDAP-Group == vpnusers
Service-Type = Administrative-User
2. You need groupname_attribute. This is ANDed to the filter to provide
(below).
groupname_attribute = cn
3. Your filter is overcomplicated, all you need is this:
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}
))
The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and
2.
That's it. As long as the other stuff is right like the binddn, the base
dn this
should at least generate ldap activity in the radiusd -X output.
Regards,
Frank Ranner
More information about the Freeradius-Users
mailing list