LDAP Groups

Alan DeKok aland at deployingradius.com
Tue Nov 2 04:16:59 CET 2010

Hugh Blandford wrote:
> I have been experimenting with using FreeRADIUS and LDAP, trying to get
> some understanding of how groups are handled.

  The LDAP-Group attribute checks if the user is in a particular LDAP
group.  That's it.

> I can place an LDAP group name in the users file and then have my LDAP
> user checked against it and return the relevant attributes.

  That's how it works.

> However, I was hoping to not use the users file.  I was hoping that:
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> groupmembership_attribute = radiusGroupName
> would mean you could add the attribute radiusGroupName to a user's entry
> and it would then look up the relevant GroupofNames and add those
> attributes to the return items.  However, when I add radiusGroupName to
> a user's entry I don't see any groupname lookups in the debug at all.

  No.  The documentation does not say it works that way.

> What I actually want to do is might not be solved best by LDAP groups. 
> Most of our customers are in different VRFs and this, the loopback
> address and DNS servers etc are returned.  Rather than store this
> information under each user I would like to have template that I refer
> to.  However, at the same time, having 50+ default entries didn't seem
> the right way to do it either.

  That's what groups are for.

  You can use "unlang" to do more complex configurations than are
allowed in the "users" file.

  Alan DEKok.

More information about the Freeradius-Users mailing list