Problem with LDAP and Groups

Alan DeKok aland at deployingradius.com
Sun Oct 14 07:00:42 CEST 2007


Bryan Evege wrote:
...

  Please edit your posts to the list.  It's annoying to have to scroll
through reams of headers and old messages in order to see your reply.

> Thank you for the reply.  If I change the fall through to yes it still
> matches as many groups as the user is in.  How can I tell freeradius
> which attributes to send back?  It only sends back the attributes of the
> last group it finds.

  Read the documentation for the "users" file, including the "man" page.

> For example, bevege is a member of the following groups, packetshapper,
> cisco_priv_15, cisco_priv_1, linux.  Here is what happens when I try to
> log into one of the packet shappers.  I get the attributes for the
> cisco_priv_1 because it's last in the list and I can't logon.  I f  I
> change all of the users groups to fall-through=no the packetshapper
> allows me to login but then the cisco profiles don't work because it
> never makes it to them.

  i.e. You want to match on the client AND on the group.  Why not
configure that?

DEFAULT Client-IP-Address == 1.2.3.4, LDAP-Group == ...
	reply with stuff...

> Basically this setup works fine if you're only in one group! What's the
> point of groups if you can only be in one.

  You can be in multiple groups.  You just have to configure the correct
policy.

  Alan DeKok.



More information about the Freeradius-Users mailing list