Radius authentication against LDAP question

g17jimmy g17jimmy at gmail.com
Fri Jun 1 16:47:34 CEST 2012


One question relating to this is about the /etc/raddb/users file- It doesn't
seem to work as it's documented, If I have a group set to be rejected based
on its membership like this:

DEFAULT   Group="disabled", Auth-Type:=Reject

radius doesn't even check for group membership. The only way it seems to get
directed to check membership is with a negative check (!=). 

DEFAULT   LDAP-Group!="newgroup", Auth-Type:=Reject

Regardless, I still can't figure out what filter would validate the user
"newuser" as a member of "newgroup"-

performing search in cn=accounts,dc=abc,dc=xyz, with filter
(&(cn=newgroup)(&(memberOf="cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz")(uid=newuser)))

This is the output of the ldapsearch that shows the group and the fact that
the user is a member-

# LDAPv3
# base <cn=accounts,dc=abc,dc=xyz> with scope subtree
# filter: (&(cn=newgroup))
# requesting: ALL
#

# newgroup, groups, accounts, abc.xyz
dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ldapsergroup
objectClass: ldapobject
objectClass: posixgroup
cn: newgroup
description: switch administrators
gidNumber: 895800006
ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7
member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz

--
View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713503.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.


More information about the Freeradius-Users mailing list