ldap group membership required

Daniel Durgin dan at marsbase10.net
Tue Jan 8 20:24:15 CET 2008


Hello,

I have search the archives and google, and there seems to be lots of 
confusion on the subject: Requiring membership to and LDAP group to 
authenticate.

I can seem to get it to work.  Notice the misspelling og the member:

dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar
cn: min_radius_wifi
objectClass: groupOfNames
objectClass: top
member: cn=tes guest,ou=Guests,dc=fu,dc=bar


The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login.

FreeRadius Version: freeradius-1.0.1

ldap {
                 server = "localhost"
                 identity = "uid=authman,dc=fu,dc=bar"
                 password = XXXXXXX
                 basedn = "dc=fu,dc=bar"
                 filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
                 base_filter = "(objectclass=person)"

                 # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
                 # profile_attribute = "radiusProfileDn"
         #`      access_attr = "uid"

                 # Mapping of RADIUS dictionary attributes to LDAP
                 # directory attributes.
                 dictionary_mapping = ${raddbdir}/ldap.attrmap
         ldap_connections_number = 5

                 password_attribute = userPassword
                 groupname_attribute = cn

                 groupmembership_filter = 
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"

                 groupmembership_attribute = 
"cn=radius_wifi,ou=Group,dc=fu,dc=bar"
                 timeout = 4
                 timelimit = 3
                 net_timeout = 1
                 #compare_check_items = yes
                 # do_xlat = yes
         #       access_attr_used_for_allow = no
         }

Thank you for the help,
Dan



More information about the Freeradius-Users mailing list