Problem with LDAP and Groups

tnt at tnt at
Fri Oct 12 00:23:45 CEST 2007

Read instructions in huntgroups file. Group devices in huntgroups:

cisco   NAS-IP-Address == a.b.c.d
cisco   NAS-IP-Address == a.b.c.e

linux   NAS-IP-Address == z.y.x.w
linux   NAS-IP-Address == z.y.x.v

Add Huntgroup-Name to the DEFAULT entries:

DEFAULT Huntgroup-Name == "cisco", Ldap-Group == "cisco_priv_15",
User-Profile :=

You can leave out Auth-Type. These attributes will then be passed only
when user logs in from a device in cisco huntgroup. For other entries
Ldap group might match but huntgroup will not.

Things get complicated if roles and devices overlap and you have two or
more entries where both the group and hungroup will match. For instance,
you wanted the same user in priv level 1 and 15 groups. You then have to
add another level of distincion, like a realm/sufix/prefix.

Ivan Kalik
Kalik Informatika ISP

Dana 11/10/2007, "Bryan Evege" <bryan at> piše:

>Message: 6
>> Date: Thu, 11 Oct 2007 21:13:21 +0100
>> From: <tnt at>
>> Subject: Re: Problem with LDAP and Groups
>> To: "FreeRadius users mailing list"
>> 	<freeradius-users at>
>> Message-ID: <bS0cz6Hw.1192133601.8730890.tnt at>
>> Content-Type: text/plain; charset=ISO-8859-2
>>> If I change the fall through to yes it still matches as many groups as the user is in. How can I tell freeradius which attributes to send back?
>> If you want to send sets of attributes according to the NAS user is
>> trying to log into use huntgroups.
>>> For example, bevege is a member of the following groups, packetshapper, cisco_priv_15, cisco_priv_1, linux.
>> Your group allocation is wrong. You can't have the same user(name) on
>> the same device having priv levels 1 and 15. Pick one. Or have him log
>> in as username at 1 and username at 15 and use realms to allocate correct set
>> of attributes.
>> Ivan Kalik
>> Kalik Informatika ISP
>Could you please explain a bit more. From what I understand you cannot
>use Huntgroups to lookup what group a user is in. I only uses /etc/group
>/etc/password. What I would like to do is this. User bevege logs in from
>Cisco router. Have the users file somehow detect that the request has
>come from a cisco router (by IP I would guess) then validate that the
>user is in the correct group and then pass back the specific attributes
>just for the cisco. Same thing for packetshapper etc.
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list