simple Ldap-group search

Markus Moeller huaraz at moeller.plus.com
Fri Jan 25 21:14:20 CET 2008 

I think you need to use Ldap-Group instead of myldap-Ldap-Group or do you use do_xlat ?

Markus

  "cxu" <cxu at unbsj.ca> wrote in message news:200801241502.m0OF2I2k052951 at mxdrop8.xs4all.nl...
  Background:

   

  When a user associated with the ssid Guest, the user will authenticate against a FreeRadius server.  If he has a university account, the FreeRadius server will authenticate him via LDAP.  If he does not have a university account, the FreeRadius server will do the authentication with a guest account database.

   

   

  Goal:

   

  To reduce the chance to do the LDAP search, the LDAP-group search is successful if the user is in the LDAP and no matter which LDAP group he is in.

   

   

  My shot and the problem:

   

  I am trying to do a wildcard search in LDAP-Group search, but it looks like the wildcard could not work.

   

  Related entries in the file users,

   

  <omitted>

   

  DEFAULT Called-Station-Id =~ ".*Guest", myldap-Ldap-Group == "*", Autz-Type := Ldap1, Auth-Type := Ldap1

   

  DEFAULT Called-Station-Id =~ ".*Guest", Group == "guest", Autz-Type := Web, Auth-Type := System

   

  <omitted>

   

   

  Debug output,

   

  <output omitted>

   

  rlm_ldap: performing search in ou=people,dc=myuniv,dc=ca, with filter (&(cn=*)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))

   

  <output omitted>

   

  rlm_ldap::groupcmp: Group * not found or user not a member

  rlm_ldap: ldap_release_conn: Release Id: 0

  ++[files] returns noop

  rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.

  ++[pap] returns noop

  auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user

  auth: Failed to validate the user.

  Login incorrect: [cxu] (from client localhost port 0)

  Delaying reject of request 0 for 1 seconds

  Going to the next request

  Waking up in 0.9 seconds.

  Sending delayed reject for request 0

   

  Questions:

   

    1.. Is there any way to make the wildcard LDAP-group search work? 
    2.. Whether unlang could be applied here and how? 
    3.. Any advice? 
   

  Thanks!

   

  Andrew

   



------------------------------------------------------------------------------


  -
  List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080125/dee6b4bd/attachment.html>

More information about the Freeradius-Users mailing list