need a little help with ldap groupings

Kostas Kalevras kkalev at
Wed May 3 14:29:42 CEST 2006

On Wed, 3 May 2006, Mark Jayson R. Alvarez wrote:

> Hi,
> I have grouped my users in ldap using "groupofNames" objectclass.
> now one group of users which I only want to allow to authenticate to the
> radius server has a dn of:
> dn: cn=radiususers,ou=groups,o=example,dc=com
> It has "member" attributes such as:
> member: uid=user2,ou=people,o=example,dc=com
> member: uid=user3,ou=people,o=example,dc=com
> member: uid=user4,ou=people,o=example,dc=com
> member: uid=user5,ou=people,o=example,dc=com
> In my radiusd.conf I have these lines:
> groupname_attribute = cn
> groupmembership_filter = "(|(&(objectClass=GroupOfNames)
> (member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)
> (uniquemember=%{Ldap-UserDn})))"
> However, I'm not sure where to specify that only the member of the
> group "radiususer" is allowed to authenticate...
> Although I can simply add an dialupAccess attribute to each user I only want
> to allow, It is difficult because I have so many users... If only there's a
> way to just tell radius to only allow the member of this group....

You can also use the  access_attr_used_for_allow directive (see doc/rlm_ldap)

See doc/rlm_ldap and ldap_howto.txt for a description of how to use ldap groups

> Please help..
> thanks.
> -
> List info/subscribe/unsubscribe? See

Kostas Kalevras		Network Operations Center
kkalev at	National Technical University of Athens, Greece
Work Phone:		+30 210 7721861
'Go back to the shadow'	Gandalf

More information about the Freeradius-Users mailing list