[Patch] rlm_ldap: Allow users to match more than one group

Phil Mayers p.mayers at imperial.ac.uk
Wed Jan 11 14:06:05 CET 2012


On 11/01/12 11:41, Graham Leggett wrote:
> Hi all,
>
> If you set up groups in the rlm_ldap module, and a user is found to
> match more than one group, that user is currently denied access.

I'm not sure I understand the circumstances in which this occurs. Can 
you give an example of it failing?

rlm_ldap takes the "groupmembership_filter" you give it, and then ANDs 
it with groupname=value, like so:

final_filter = sprintf("(&(%s=%s)%s)"
   groupname_attr,
   groupname,
   groupmembership_filter
)

This query will end up looking something like this:

(&(cn=TheGroup)(|(member=<LDAP DN>)(uniquemember=<LDAP DN>)))

...and should never return >1 hit.



More information about the Freeradius-Users mailing list