LDAP Groups

[Alan DeKok]

Hugh Blandford wrote:
> I have been experimenting with using FreeRADIUS and LDAP, trying to get
> some understanding of how groups are handled.

  The LDAP-Group attribute checks if the user is in a particular LDAP
group.  That's it.

> I can place an LDAP group name in the users file and then have my LDAP
> user checked against it and return the relevant attributes.

  That's how it works.

> However, I was hoping to not use the users file.  I was hoping that:
> 
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> 
> groupmembership_attribute = radiusGroupName
> 
> would mean you could add the attribute radiusGroupName to a user's entry
> and it would then look up the relevant GroupofNames and add those
> attributes to the return items.  However, when I add radiusGroupName to
> a user's entry I don't see any groupname lookups in the debug at all.

  No.  The documentation does not say it works that way.

> What I actually want to do is might not be solved best by LDAP groups. 
> Most of our customers are in different VRFs and this, the loopback
> address and DNS servers etc are returned.  Rather than store this
> information under each user I would like to have template that I refer
> to.  However, at the same time, having 50+ default entries didn't seem
> the right way to do it either.

  That's what groups are for.

  You can use "unlang" to do more complex configurations than are
allowed in the "users" file.

  Alan DEKok.