ldap group membership required
Daniel Durgin
dan at marsbase10.net
Wed Jan 9 14:50:44 CET 2008
Thank you for the quick reply. I beat my head against it again, and
again. Then noticed the clients file. I got it working.
Alan DeKok wrote:
> Daniel Durgin wrote:
>> I have search the archives and google, and there seems to be lots of
>> confusion on the subject: Requiring membership to and LDAP group to
>> authenticate.
>
> No.
>
> Authentication involves checking credentials. Authorization involves
> *additional* and *independent* filter rules specifying when and where
> people can authenticate.
>
> If you think of checking group membership as authentication, it means
> that you're conceptual model of how the system works is wrong. Hence
> designs of any solution will be wrong, and confusion will be multiplied.
>
>> I can seem to get it to work. Notice the misspelling og the member:
>>
>> dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar
>> cn: min_radius_wifi
>> objectClass: groupOfNames
>> objectClass: top
>> member: cn=tes guest,ou=Guests,dc=fu,dc=bar
>>
>>
>> The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to
>> login.
>
> So... read the debug output to see why. This is mentioned in no many
> places that there is NO excuse for not doing it.
>
> I also fail to understand why people look at the *configuration* to
> see how the server is *running*. It's like driving car while looking
> only at a map, and not at the road in front of you. If all goes well,
> it might work. But as soon as a pedestrian steps in front of your car,
> you fail to see him, and *boom*, bad things happen.
>
>> FreeRadius Version: freeradius-1.0.1
>
> Why? That version is *years* old.
It comes with CentOS 5, or one of them Yum Repos. I just needed a
radius server to gateway for my LDAP server.
> Alan DeKok
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you for the lesson I learned a lot.
-Dan
More information about the Freeradius-Users
mailing list