Troube with matching LDAP group membership in authorize
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jan 31 10:19:41 CET 2007
Richard Hesse wrote:
> Nevermind I found the problem. There's a limitation in
> ldap_groupcmp() such that only the last LDAP module instantiated is
> actually checked -- ignoring whatever you specify. I found this info
> from
> http://lists.cistron.nl/pipermail/freeradius-users/2004-June/033220.html.
>
>
That's for the attribute "Ldap-Group". The module-name-prefixed version,
"ldap_enable-Ldap-Group" should work fine.
Your original mail listed:
Hint file:
DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User,
ldap_enable-Ldap-Group := "operations", Autz-Type := ldap_enable,
Auth-Type := LDAP
You are using := to compare ldap_enable-Ldap-Group - use ==
Try setting the Autz-Type in the "users" file
More information about the Freeradius-Users
mailing list