posixAccount,posixGroup, and CiscoAVPair
Alan DeKok
aland at deployingradius.com
Wed Mar 19 16:33:34 CET 2008
Pietro Accerboni wrote:
> Thanks a lot for the quick answer, it works!
Yes. It's really that easy.
The hard part is usually figuring out how to phrase the policies
correctly. If the policies are phrased incorrectly, it's *impossible*
to get the server to do what you want... because the policies aren't
doing what you want.
> So the ldap filters i wrote are ok, the problem was on the users file. I
> have 2 more questions:
...
> I want to pick out the gid from the group 'staff', whatever this numer
> is, and check this number in the users file.
> May I write something like
> gid=%{ldap:ldap://dc=mydomain,dc=it?gidNumber?sub?(&(posixGroup)(cn=staff))},
> and then use this var in the
> test Ldap-Group!=<gid> in users file?
Unfortunately, no. This should be easier in 2.0.
> 2) Maybe a stupid question.
> I found very difficult to have a clear understanding of how to configure
> freeradius, from the documentation that comes with the rpm/deb package
> and the one i found on freeradius.org.
> Also i look for a book, but the only one i found is 'Radius' from
> O'Reilly, that is old and far far far away from a 'good book'.
Well, yes.
> Is there some paper, some book, some doc that explain clearly the
> freeradius world? From a general point of view (Radius Protocol,
I've got a bit over 200 pages done on my book, but other issues keep
coming up, and preventing me from doing much more.
> Difference in Authorization and Authentication section, etc..) to the
> details (how freeradius use the request attrs/config attrs/reply attrs,
> the gory details of the single module configuration switch - see my
> mistake with 'compare_check_items=yes' in ldap, etc.)?
Generally, any module configuration is the least of your worries. The
most effort is spent writing the correct policies.
Alan DeKok.
More information about the Freeradius-Users
mailing list