ldap group membership required

Wed Jan 9 14:50:44 CET 2008

Thank you for the quick reply.  I beat my head against it again, and 
again.  Then noticed the clients file.  I got it working.

Alan DeKok wrote:
> Daniel Durgin wrote:
>> I have search the archives and google, and there seems to be lots of
>> confusion on the subject: Requiring membership to and LDAP group to
>> authenticate.
> 
>   No.
> 
>   Authentication involves checking credentials.  Authorization involves
> *additional* and *independent* filter rules specifying when and where
> people can authenticate.
> 
>   If you think of checking group membership as authentication, it means
> that you're conceptual model of how the system works is wrong.  Hence
> designs of any solution will be wrong, and confusion will be multiplied.
> 
>> I can seem to get it to work.  Notice the misspelling og the member:
>>
>> dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar
>> cn: min_radius_wifi
>> objectClass: groupOfNames
>> objectClass: top
>> member: cn=tes guest,ou=Guests,dc=fu,dc=bar
>>
>>
>> The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to
>> login.
> 
>   So... read the debug output to see why.  This is mentioned in no many
> places that there is NO excuse for not doing it.
> 
>   I also fail to understand why people look at the *configuration* to
> see how the server is *running*.    It's like driving car while looking
> only at a map, and not at the road in front of you.  If all goes well,
> it might work.  But as soon as a pedestrian steps in front of your car,
> you fail to see him, and *boom*, bad things happen.
> 
>> FreeRadius Version: freeradius-1.0.1
> 
>   Why?  That version is *years* old.

It comes with CentOS 5, or one of them Yum Repos.  I just needed a 
radius server to gateway for my LDAP server.

>   Alan DeKok
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Thank you for the lesson I learned a lot.

-Dan