rlm_ldap problem

Norbert Wegener nw at sbs.de
Sat Feb 11 19:23:59 CET 2006 

For an 802.1x authentication radius first asks an ad server to get 
information about a specific machine account. If this account belongs to 
a certain group,
the users file is consulted to check, which vlan the account gets assigned.

In radiusd.conf  I set the groupname_attribute in the the ldap section:

 groupname_attribute = "primaryGroupID"

This works with a user file and entries like this without problems:

DEFAULT Ldap-Group == "515",  Auth-Type := Accept
        Framed-Type = Framed,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = 802,
       Tunnel-Private-Group-ID = Core1
      

For some reason I want the operator here not to be ==, but >=
and change the entry to:

DEFAULT Ldap-Group >= "500",  Auth-Type := Accept
        Framed-Type = Framed,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = 802,
       Tunnel-Private-Group-ID = Core1,
        Fall-Through = no

In this case I get:

rlm_ldap::groupcmp: Group 500 not found ????or user not a member

Further digging in radiusd -AX's output unveiles the reason:
rlm_ldap: performing search in dc=MYDOM,dc=NET, with filter 
(&(primaryGroupID=500)(|(&(objectClass=GroupOfNames)(member=CN=MC
The search here is done with "=": primaryGroupID=500

Is there any way to honor the operator >= in the users file in this case 
without modifying the source code?

Thanks
Norbert Wegener

More information about the Freeradius-Users mailing list