Configure authentication via LDAP Group membership issue [sec=unclassified]

Ranner, Frank MR Frank.Ranner at
Wed Oct 31 01:20:36 CET 2007


	From: freeradius-users-bounces at
[mailto:freeradius-users-bounces at] On Behalf Of
David Hobley
	Sent: Wednesday, 31 October 2007 10:50
	To: FreeRadius users mailing list
	Subject: Re: Configure authentication via LDAP Group membership
	I have still not been able to find a solution for this, it looks
like I might be able to use an xlat rule for it, but I can't get my head
around how to write it. Can anyone point me to suitable documentation
for xlat - while I have read all the docco that comes with the
FreeRadius (in /usr/share) I am missing something in order to apply it.
	----- Original Message -----
	From: "David Hobley" <david.hobley at>
	To: freeradius-users at
	Sent: Tuesday, 23 October 2007 04:10:51 PM (GMT+1000)
	Subject: Configure authentication via LDAP Group membership
	I have set up a VPN pointing to a FreeRadius server and have it
	authenticating successfully against my LDAP server, but I would
also like to
	limit access to only those people who are a member of the VPN
	Normally, this would be simple, but because of the LDAP server I
am using,
	the hierarchy looks like this:
	User Account:
	ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN"
	dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN
	uidNumber: 1024
	Group entry is:
	ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)"
	dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN
	memberUid: 1024
	So I need to somehow configure Radius to search on me, get my
uidNumber and
	then search on the group. If I skip the searching to get the
uidNumber, I
	can configure the Radius (for this single account) correctly:
	In the ldap module I include:
	                groupname_attribute = cn
	                groupmembership_filter = "(memberUid=1024)"
	with the following entry in the users file:
	        Fall-Through = 1
	DEFAULT LDAP-Group == "VPN Users"
	        Service-Type = Administrative-User
	and this works as expected, but is there any way I can
substitute the 1024
	for an ldap search result so I can dynamically return the
uidNumber for the
	%{User-Name} field?
The memberUid attribute in a posixgroup is supposed to hold the uid, not
the uidNumber. That would make your groupmembership_filter =
"(memberUid=%{User-Name})" or more robustly, 
groupmembership_filter =

Frank Ranner

More information about the Freeradius-Users mailing list