FreeRADIUS and LDAP Groups

Tim Gustafson tjg at soe.ucsc.edu
Fri Dec 12 00:52:34 CET 2008


Now that I have FreeRADIUS authenticating users via MSCHAPv2 and the sambaNTPassword attributes, the next step in my project is to limit the system so that only users in certain user groups can log in.

I'm using posixGroup groups, not groupOfNames or groupOfUniqueNames.

In my modules/ldap files I have:

groupname_attribute = "cn"
groupmembership_attribute = "memberUid"
groupmembership_filter = "(memberUid=%{Stripped-User-Name:-%{User-Name}})"

In my users I have

DEFAULT LDAP-Group == foo

However, even with these configuration options set, anyone with a valid login and password can authenticate right now.  In my "radiusd -X" I see:

rlm_ldap: performing search in dc=blah, with filter (&(cn=foo)(memberUid=test))
rlm_ldap: object not found or got ambiguous search result

But it then goes on the authenticate the user anyhow:

rlm_ldap: user test authorized to use remote access

I looked around on Google, and I see -lots- of stuff about configuring LDAP group checks, but I haven't found anything that's all too helpful right now.  Is there some option that I have to set to tell the system to ignore a user that's not in the proper group?

And then the follow-up question to this will be: is it possible to configure FreeRADIUS to check for membership in more than one group?  Put another way, how can I let the system authenticate users in the "foo" group -or- in the "bar" group?

Tim Gustafson
SOE Webmaster
UC Santa Cruz
tjg at soe.ucsc.edu
831-459-5354




More information about the Freeradius-Users mailing list