Group checking in ldap authorization
Alan DeKok
aland at deployingradius.com
Wed Mar 23 09:14:02 CET 2011
Robert Roll wrote:
> The below is out of the .../share/doc/freeradius/rlm_ldap
>
> Note that it shows the Ldap_Group variable being set in the users file, but
> I'm assuming it should not really matter where it gets set ?
>
> DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com"
No. See the "man users" page. The above example *compares* the
LDAP-Group.
> Note, I do not want to test for Ldap_Group, I want to be able to actually
> set it so it is used within the ldap module ?
You can't set it. It's intended to *check* if a user is a member of a
particular LDAP group.
Why would you want to set it? You don't have write access to LDAP, to
set the group for a user?
If you need a temporary place to store a value, don't use LDAP-Group.
Use a locally-defined attribute. See raddb/dictionary for documentation.
Alan DeKok.
More information about the Freeradius-Users
mailing list