LDAP Groups
Hugh Blandford
hugh at island.net.au
Tue Nov 2 02:10:30 CET 2010
Dear All,
I have been experimenting with using FreeRADIUS and LDAP, trying to get
some understanding of how groups are handled.
I have left things in the configuration files mostly as standard, except
uncommenting the LDAP sections but am obviously not understanding how
things are supposed to work.
I can place an LDAP group name in the users file and then have my LDAP
user checked against it and return the relevant attributes.
eg (following someone's helpful example)
DEFAULT Ldap-Group == flat10000, User-Profile :=
"uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org"
Fall-Through = yes
DEFAULT Ldap-Group == disabled, Auth-Type := Reject
Reply-Message = "Account disabled. Please call
the helpdesk.",
Fall-Through = no
However, I was hoping to not use the users file. I was hoping that:
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
would mean you could add the attribute radiusGroupName to a user's entry
and it would then look up the relevant GroupofNames and add those
attributes to the return items. However, when I add radiusGroupName to
a user's entry I don't see any groupname lookups in the debug at all.
Sorry if I have failed to understand something basic.
What I actually want to do is might not be solved best by LDAP groups.
Most of our customers are in different VRFs and this, the loopback
address and DNS servers etc are returned. Rather than store this
information under each user I would like to have template that I refer
to. However, at the same time, having 50+ default entries didn't seem
the right way to do it either.
Thanks for your patience.
Hugh Blandford
--
Hugh Blandford
Island Internet
ph 1300 130 428
mb 0412 016 875
More information about the Freeradius-Users
mailing list