Freeradius 1.X.X and LDAP groups.

Alan DeKok aland at
Thu Sep 10 10:12:58 CEST 2009

Michael March wrote:
> I've been playing around with this all day and I'm stumped.

  Please read the "man" page for the "users" file.

> Does anyone have a config for ANY version of FreeRadius that works
> with LDAP groups?


> On Tue, Sep 8, 2009 at 11:17 PM, Michael March wrote:
>> The scoop is I'm using Freeradius 1.1.3 under RHEL/Centos 5.2 and I'm
>> trying to get authentication working so FreeRadius will authenticate a
>> user OLNY if they are in a certain LDAP group.. In this case that
>> group is called 'it'.

  That's simple enough.

>> DEFAULT Auth-Type = LDAP
>>         Fall-Through = 1
>> DEFAULT LDAP-Group == it
>>         Service-Type = Administrative-User

  That configuration does NOT match your requirements.  It:

   a) sets authentication to LDAP
   b) adds Service-Type... for users in the "it" LDAP group

  It's really that simple.

  What you want is:

   a) for users in "it" group, set LDAP authentication
   b) reject everyone else

  i.e. For (a), put the configuration in ONE entry in the "users" file.

DEFAULT  LDAP-Group == "it", Auth-Type = LDAP

DEFAULT	Auth-Type := Reject

  Alan DeKok.

More information about the Freeradius-Users mailing list