Authenticating again LDAP, specific group

Cory Johnson cjohnson at commspeed.net
Wed Aug 4 01:27:32 CEST 2010


Greetings,

I am running FreeRADIUS 2.1.8 on Ubuntu 8.04, attempting to use the ldap 
module. I only want to authenticate users in a certain group. These 
groups exist in LDAP as a "posixGroup" with a "memberUID" list. As I 
have it configured currently, I get an "Access-Accept" for any user in 
the directory.

The ldap module is configured as such:

ldap {
     server = "192.168.1.99"
     identity = "cn=admin,dc=corp,dc=example,dc=com"
     password = s3cret
     basedn = "dc=corp,dc=example,dc=com"
     filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"

     ldap_connections_number = 5

     timeout = 4

     timelimit = 3

     net_timeout = 1

     tls {
         start_tls = no
     }

     dictionary_mapping = ${confdir}/ldap.attrmap

     edir_account_policy_check = no

     groupname_attribute = cn
     groupmembership_attribute = NOC
     groupmembership_filter = 
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))

}

I've also seen recomendations to add something like this to the users file:
DEFAULT LDAP-Group == NOC
         Service-Type = Administrative-User

Now I can see the service-type displayed when I do a radtest using the 
username/password of users in the "NOC" group, but I still see an 
"Access-Accept" for users who are not in the group.

How can I make the server reject users that aren't in the NOC group? Any 
hints would be fantastic.




More information about the Freeradius-Users mailing list