ldap group membership required
Daniel Durgin
dan at marsbase10.net
Tue Jan 8 20:24:15 CET 2008
Hello,
I have search the archives and google, and there seems to be lots of
confusion on the subject: Requiring membership to and LDAP group to
authenticate.
I can seem to get it to work. Notice the misspelling og the member:
dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar
cn: min_radius_wifi
objectClass: groupOfNames
objectClass: top
member: cn=tes guest,ou=Guests,dc=fu,dc=bar
The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login.
FreeRadius Version: freeradius-1.0.1
ldap {
server = "localhost"
identity = "uid=authman,dc=fu,dc=bar"
password = XXXXXXX
basedn = "dc=fu,dc=bar"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=person)"
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#` access_attr = "uid"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
password_attribute = userPassword
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute =
"cn=radius_wifi,ou=Group,dc=fu,dc=bar"
timeout = 4
timelimit = 3
net_timeout = 1
#compare_check_items = yes
# do_xlat = yes
# access_attr_used_for_allow = no
}
Thank you for the help,
Dan
More information about the Freeradius-Users
mailing list