LDAP Groups

Hugh Blandford hugh at island.net.au
Tue Nov 2 02:10:30 CET 2010

Dear All,

I have been experimenting with using FreeRADIUS and LDAP, trying to get 
some understanding of how groups are handled.

I have left things in the configuration files mostly as standard, except 
uncommenting the LDAP sections but am obviously not understanding how 
things are supposed to work.

I can place an LDAP group name in the users file and then have my LDAP 
user checked against it and return the relevant attributes.

eg   (following someone's helpful example)

DEFAULT        Ldap-Group == flat10000, User-Profile := 
                        Fall-Through = yes

DEFAULT        Ldap-Group == disabled, Auth-Type := Reject
                       Reply-Message = "Account disabled.  Please call 
the helpdesk.",
                       Fall-Through = no

However, I was hoping to not use the users file.  I was hoping that:

groupname_attribute = cn
groupmembership_filter = 
groupmembership_attribute = radiusGroupName

would mean you could add the attribute radiusGroupName to a user's entry 
and it would then look up the relevant GroupofNames and add those 
attributes to the return items.  However, when I add radiusGroupName to 
a user's entry I don't see any groupname lookups in the debug at all.

Sorry if I have failed to understand something basic.

What I actually want to do is might not be solved best by LDAP groups.  
Most of our customers are in different VRFs and this, the loopback 
address and DNS servers etc are returned.  Rather than store this 
information under each user I would like to have template that I refer 
to.  However, at the same time, having 50+ default entries didn't seem 
the right way to do it either.

Thanks for your patience.

Hugh Blandford

Hugh Blandford
Island Internet
ph 1300 130 428
mb 0412 016 875

More information about the Freeradius-Users mailing list