Problem with LDAP and Groups
aland at deployingradius.com
Sun Oct 14 07:00:42 CEST 2007
Bryan Evege wrote:
Please edit your posts to the list. It's annoying to have to scroll
through reams of headers and old messages in order to see your reply.
> Thank you for the reply. If I change the fall through to yes it still
> matches as many groups as the user is in. How can I tell freeradius
> which attributes to send back? It only sends back the attributes of the
> last group it finds.
Read the documentation for the "users" file, including the "man" page.
> For example, bevege is a member of the following groups, packetshapper,
> cisco_priv_15, cisco_priv_1, linux. Here is what happens when I try to
> log into one of the packet shappers. I get the attributes for the
> cisco_priv_1 because it's last in the list and I can't logon. I f I
> change all of the users groups to fall-through=no the packetshapper
> allows me to login but then the cisco profiles don't work because it
> never makes it to them.
i.e. You want to match on the client AND on the group. Why not
DEFAULT Client-IP-Address == 220.127.116.11, LDAP-Group == ...
reply with stuff...
> Basically this setup works fine if you're only in one group! What's the
> point of groups if you can only be in one.
You can be in multiple groups. You just have to configure the correct
More information about the Freeradius-Users