[Patch] rlm_ldap: Allow users to match more than one group
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jan 11 14:06:05 CET 2012
On 11/01/12 11:41, Graham Leggett wrote:
> Hi all,
>
> If you set up groups in the rlm_ldap module, and a user is found to
> match more than one group, that user is currently denied access.
I'm not sure I understand the circumstances in which this occurs. Can
you give an example of it failing?
rlm_ldap takes the "groupmembership_filter" you give it, and then ANDs
it with groupname=value, like so:
final_filter = sprintf("(&(%s=%s)%s)"
groupname_attr,
groupname,
groupmembership_filter
)
This query will end up looking something like this:
(&(cn=TheGroup)(|(member=<LDAP DN>)(uniquemember=<LDAP DN>)))
...and should never return >1 hit.
More information about the Freeradius-Users
mailing list