FEERADIUS and SUN Directory server groups

Kostas Kalevras kkalev at noc.ntua.gr
Mon Sep 18 14:51:38 CEST 2006


Petr "Qaxi" Klíma wrote:

> Hello
>
> I am using freeradius (1.0.1) with SUN directory server (5.2)
>
> Authentication (username:password) works well but I do not know how to 
> use LDAP for group mapping (to Ldap-Group).
>
> The problem:
>
> in SUN DS there are groups defined in two ways (If you use SUN JES 
> system)
>
> ===================================================
> "subscribe group"
> $ ldapsearch cn=gprs_subscr
> dn: cn=gprs_subscr,ou=Groups,dc=myorg
> cn: gprs_subscr
> objectClass: groupofurls
> objectClass: groupofuniquenames
> objectClass: top
> objectClass: iplanet-am-managed-assignable-group
> objectClass: iplanet-am-managed-group
> memberURL: 
> ldap:///dc=myorg??sub?memberof=cn=gprs_subscr,ou=Groups,dc=myorg
> iplanet-am-group-subscribable: false
> ===================================================
>
> or
>
> "filteredgroup"
> ===================================================
> $ ldapsearch cn=gprs_filter
> dn: cn=gprs_filter,ou=Groups,dc=myorg
> cn: gprs_filter
> objectClass: groupofurls
> objectClass: groupofuniquenames
> objectClass: top
> objectClass: iplanet-am-managed-filtered-group
> objectClass: iplanet-am-managed-group
> memberURL: ldap:///dc=myorg??sub?(&(uid=k*)(o=mysuborg))
> ===================================================
>
> How should I set groupmembership_filter or how should I use do_xlat (I 
> probably misunderstand the feature)


The FreeRADIUS ldap module supports *static* ldap groups. These groups 
are implemented either as a group entry containing member DN's or as a 
group membership attribute
in the user entries. What you are looking for (evaluating the memberURL 
attribute during group evaluation) cannot be done in an efficient way. 
The memberURL is mostly an
informational attribute used when browsing groups. You will have to use 
one of the two methods supported for ldap groups to work. Dynamic groups 
are costly and should be
implemented on the ldap server side.

>
> Thanks for any help





More information about the Freeradius-Users mailing list