FEERADIUS and SUN Directory server groups
"Petr \"Qaxi\" Klíma"
qaxi at seznam.cz
Mon Sep 18 16:55:57 CEST 2006
Kostas Kalevras napsal(a):
> Petr "Qaxi" Klíma wrote:
>
>> "filteredgroup"
>> ===================================================
>> $ ldapsearch cn=gprs_filter
>> dn: cn=gprs_filter,ou=Groups,dc=myorg
>> cn: gprs_filter
>> objectClass: groupofurls
>> objectClass: groupofuniquenames
>> objectClass: top
>> objectClass: iplanet-am-managed-filtered-group
>> objectClass: iplanet-am-managed-group
>> memberURL: ldap:///dc=myorg??sub?(&(uid=k*)(o=mysuborg))
>> ===================================================
>>
>> How should I set groupmembership_filter or how should I use do_xlat (I
>> probably misunderstand the feature)
>
>
> The FreeRADIUS ldap module supports *static* ldap groups. These groups
> are implemented either as a group entry containing member DN's or as a
> group membership attribute
> in the user entries. What you are looking for (evaluating the memberURL
> attribute during group evaluation) cannot be done in an efficient way.
> The memberURL is mostly an
> informational attribute used when browsing groups.
Hmm .. SUN Java Enterprise server is using it as authoritative
user<>group mapping ...
> You will have to use
> one of the two methods supported for ldap groups to work. Dynamic groups
What methods?
groupofuniquenames and ... ???
> are costly and should be
> implemented on the ldap server side.
How to do it? Are there any suggestions (there are other DS which uses
souch group "filtering" (SUN,Netscape,RedHat (they are from the same
nest), but Apache DS too ...)
>
>>
--
Petr Klíma
e-mail: qaxi at seznam.cz
More information about the Freeradius-Users
mailing list