unlang post-auth group-name
Phil Mayers
p.mayers at imperial.ac.uk
Mon Sep 27 14:44:25 CEST 2010
On 27/09/10 11:44, Cameron Wood wrote:
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))"
> groupmembership_attribute = radiusGroupName
>
>
> Attached is a debug log of my logon attempts with these settings, which
> still fails unfortunately.
The filter is invalid. You're missing a trailing ")" which is easily
done in the stupid LDAP filter syntax.
>
>
> If you can query LDAP directly, do so. Do not use rlm_unix for LDAP
> queries, even if nssswitch is setup for it.
>
>
> Noted, are you able to elaborate on why this is the case though, just
> like to understand, only if its not too much trouble though.
Two main reasons: firstly, doing the LDAP lookups indirectly via
rlm_unix is difficult to debug (as we are finding).
Secondly, doing the LDAP lookups directly gives you a more rich
interface to the underlying LDAP data. Doing it via rlm_unix limits you
to schema elements present in the posix LDAP schema and get*ent calls.
More information about the Freeradius-Users
mailing list