LDAP + groups problem

Angel L. Mateo amateo at um.es
Fri Mar 23 13:22:37 CET 2007 

Hello,

	We are using freeradius with a ldap backend for my users. We have a few
services authenticating against the radius server that need to filter
some groups of users

	For users we have a posix schema: Our users has the posixAccount schema
whith its main group in the attribute gidNumber. Something like this:

dn: uid=myuser,ou=Users,dc=domain.com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: CourierMailAccount
uid: myuser
uidNumber: 123456
gidNumber: 1001
loginShell: /bin/bash
mail: myuser at domain.com
...

	For the group entry we have:

dn: cn=groupA,ou=Groups,dc=domain.com
cn: groupA
gidNumber: 1001
objectClass: posixGroup
objectClass: top


	For user's secondary groups we have:

dn: cn=groupB,ou=Groups,dc=domain.com
cn: groupB
gidNumber: 1002
objectClass: posixGroup
objectClass: top
memberUid: myuser

	so, this user belongs to groupA (main group) and groupB (secondary
group). This is similar to /etc/passwd and /etc/group files.

	What I want is that the below users' entry reject access to user
"myuser":

DEFAULT Ldap-Group == "groupB", Auth-Type := Reject
	Reply-Message = "groupB users are not allowed to login"

	I am trying varios configurations but I don't get the good one. I have
try to configure as:

groupname_attribute = gidNumber
groupmembership_filter = "(&(objectClass=posixAccount)(uid=
%{Stripped-User-Name:-%{User-Name}}))"
groupmembership_attribute = uid

	but with this configuration I can filter just by the main group (myuser
is still allowed).

	The configuration:

groupname_attribute = cn
groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=
%{Stripped-User-Name:-%{User-Name}}))"
groupmembership_attribute = memberUid

	seems to look just in secondary groups.

	Is there any way to configure taking count of main and secondary groups
with this structure?

	Thanks in advance

-- 
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información       _o)
y las Comunicaciones Aplicadas (ATICA)      / \\
http://www.um.es/atica                    _(___V
Tfo: 968367590
Fax: 968398337

More information about the Freeradius-Users mailing list