ldap group membership required

Alan DeKok aland at deployingradius.com
Wed Jan 9 04:25:04 CET 2008


Daniel Durgin wrote:
> I have search the archives and google, and there seems to be lots of
> confusion on the subject: Requiring membership to and LDAP group to
> authenticate.

  No.

  Authentication involves checking credentials.  Authorization involves
*additional* and *independent* filter rules specifying when and where
people can authenticate.

  If you think of checking group membership as authentication, it means
that you're conceptual model of how the system works is wrong.  Hence
designs of any solution will be wrong, and confusion will be multiplied.

> I can seem to get it to work.  Notice the misspelling og the member:
> 
> dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar
> cn: min_radius_wifi
> objectClass: groupOfNames
> objectClass: top
> member: cn=tes guest,ou=Guests,dc=fu,dc=bar
> 
> 
> The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to
> login.

  So... read the debug output to see why.  This is mentioned in no many
places that there is NO excuse for not doing it.

  I also fail to understand why people look at the *configuration* to
see how the server is *running*.    It's like driving car while looking
only at a map, and not at the road in front of you.  If all goes well,
it might work.  But as soon as a pedestrian steps in front of your car,
you fail to see him, and *boom*, bad things happen.

> FreeRadius Version: freeradius-1.0.1

  Why?  That version is *years* old.

  Alan DeKok



More information about the Freeradius-Users mailing list