Configure authentication via LDAP Group membership issue

David Hobley david.hobley at mionegroup.com
Wed Oct 31 00:49:47 CET 2007


All, 

I have still not been able to find a solution for this, it looks like I might be able to use an xlat rule for it, but I can't get my head around how to write it. Can anyone point me to suitable documentation for xlat - while I have read all the docco that comes with the FreeRadius (in /usr/share) I am missing something in order to apply it. 

Cheers, 
David 
----- Original Message ----- 
From: "David Hobley" <david.hobley at mionegroup.com> 
To: freeradius-users at lists.freeradius.org 
Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000) Australia/Brisbane 
Subject: Configure authentication via LDAP Group membership issue 


I have set up a VPN pointing to a FreeRadius server and have it 
authenticating successfully against my LDAP server, but I would also like to 
limit access to only those people who are a member of the VPN group. 

Normally, this would be simple, but because of the LDAP server I am using, 
the hierarchy looks like this: 

User Account: 

ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(uid=firstname.lastname)" 
dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN 
uidNumber: 1024 
... 

Group entry is: 

ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)" 
dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN 
memberUid: 1024 
... 

So I need to somehow configure Radius to search on me, get my uidNumber and 
then search on the group. If I skip the searching to get the uidNumber, I 
can configure the Radius (for this single account) correctly: 

In the ldap module I include: 
... 
groupname_attribute = cn 
groupmembership_filter = "(memberUid=1024)" 
with the following entry in the users file: 

DEFAULT Auth-Type = LDAP 
Fall-Through = 1 

DEFAULT LDAP-Group == "VPN Users" 
Service-Type = Administrative-User 

and this works as expected, but is there any way I can substitute the 1024 
for an ldap search result so I can dynamically return the uidNumber for the 
%{User-Name} field? 

Thanks! 

Cheers, 
David 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071031/8fb77f8b/attachment.html>


More information about the Freeradius-Users mailing list