Help with LDAP groupOfNames?

Jason Antman jason at jasonantman.com
Sat Apr 4 07:22:17 CEST 2009 

Hi,

I've googled this to no avail (have been working on it for about 4 hours
now). I'm running FreeRADIUS 1.1.0 (SuSE package) and OpenLDAP 2.3.19. I
have an access point that will do captive portal, but only via RADIUS,
not via LDAP natively. I already have an LDAP server running, so I just
added a new groupOfNames called "WirelessUsers".

Basically, *all* I want RADIUS to do is check the username and password,
and assuming they are correct, either allow or deny based on whether the
user is a member of "WirelessUsers". According to radtest, I have it
working with LDAP, but it allows everyone with a valid username and
password access, regardless of the WirelessUsers group - and I'm not
seeing anything related to that group in the LDAP logs.

I can't seem to find anything online for freeradius1 relating to
groupOfNames, so I've just been trying random things that I found online
(for raddb/users) hoping one would work.

radiusd.conf:

        ldap {
                server = "127.0.0.1"
                basedn = "dc=example,dc=com"
                filter =
"(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))"

                start_tls = no

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                ldap_connections_number = 5

                password_attribute = userPassword

                groupname_attribute = cn
                groupmembership_filter =
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
                groupmembership_attribute = "memberof"
                timeout = 4
                timelimit = 3
                net_timeout = 1
        }

users:
#DEFAULT Auth-Type == LDAP
#       Fall-Through = Yes
DEFAULT LDAP-Group == "WirelessUsers"
        Auth-Type := Reject

#DEFAULT Ldap-Group != "WirelessUsers", Auth-Type := Reject
#    Reply-Message = "Sorry, your account has not yet been enabled for
wireless access."

#DEFAULT Huntgroup-Name == "wirelessusers",
Ldap-Group=="WirelessUsers",  Auth-Type = LDAP
#DEFAULT  Auth-Type := Reject


#DEFAULT Ldap-Group == "WirelessUsers"
#      Fall-Through = no

DEFAULT Ldap-Group == WirelessUsers
        Fall-Through  = no

DEFAULT Auth-Type := Reject

I've tried all of the commented out stuff also, and none of it worked.
All I want is (assuming username & password are correct) allow anyone
who is in "WirelessUsers" group, deny everyone else.

I'm sure this is horribly simple, but I just can't seem to figure it out
from the docs or from extensive googling.

Thanks for any help,
Jason Antman

More information about the Freeradius-Users mailing list