Group checking in ldap authorization
Robert Roll
Robert.Roll at utah.edu
Tue Mar 22 15:24:11 CET 2011
I have an ldap module that I want to force to do group checking.
Reading the documentation, it seems that there should be an attribute (I'm assuming control?)
that should force that check ? i.e. instance-name-Ldap-Group ..
I notice that the ldap module seems to have group checking disabled by default. I thought
that uncommenting the group config below should enable it ?
#
# Group membership checking. Disabled by default.
#
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = radiusGroupName
Below is what I have in my authorization section. I
update control {
ldapADut-Ldap-Group := "cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu"
}
ldapADut {
notfound = reject
}
Looking at the debug, it seems that there is no attempt to actually do any group checking ?
What am I doing wrong ?
Thanks,
Robert
More information about the Freeradius-Users
mailing list