Freeradius 1.X.X and LDAP groups.
Michael March
mmarch at gmail.com
Thu Sep 10 09:50:15 CEST 2009
I've been playing around with this all day and I'm stumped.
Does anyone have a config for ANY version of FreeRadius that works
with LDAP groups?
On Tue, Sep 8, 2009 at 11:17 PM, Michael March wrote:
> The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm
> trying to get authentication working so FreeRadius will authenticate a
> user OLNY if they are in a certain LDAP group.. In this case that
> group is called 'it'.
>
> Where I am at now is if the user is in or out of the 'it' group the
> authentication goes through ok (depending if the password is correct,
> of course). I would like the authenication to fail if the password is
> correct BUT the user is not in a certain ('it') group.
>
> Here are my configs snippets:
>
> ========= /etc/raddb/users ===========
>
>
> DEFAULT Auth-Type = LDAP
> Fall-Through = 1
>
> DEFAULT LDAP-Group == it
> Service-Type = Administrative-User
>
>
> ========= /etc/raddb/radiusd.conf ===========
>
> ldap {
> server = "192.168.150.140"
> identity = "uid=admin,ou=People,dc=acme,dc=com"
> password = "BadPass"
> basedn = "dc=acme,dc=com"
> filter = "(uid=%u)"
> # base_filter = "(objectclass=radiusprofile)"
>
> start_tls = no
>
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> access_attr = uid
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
>
> groupname_attribute = cn
> groupmembership_filter =
> "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))"
> groupmembership_attribute = it
> timeout = 4
> timelimit = 3
> net_timeout = 1
> compare_check_items = yes
> # do_xlat = yes
> access_attr_used_for_allow = yes
> }
>
>
More information about the Freeradius-Users
mailing list