group search filter openLDAP

dhanushka ranasinghe parakrama1282 at gmail.com
Sun Mar 25 08:35:13 CEST 2012 

Hi..

As you mention i able to get that ldap group work ,  i add two
additional entrys in  /etc/freeradius/user file to  filter the users ,
these are ,



DEFAULT Ldap-Group == "cn=people,ou=users,dc=home,dc=com", Auth-Type := Accept
 Reply-Message = "You are Accepted"

DEFAULT Auth-Type := Reject


then i face the much bigger issue,  then freeradius start to ignore
the ldap userpassword. even though i type wrong password freeradius
granting the access.

hi guys any way to slove this issue

Thank You
Dhanushka


On 24 March 2012 17:35, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 03/24/2012 05:51 AM, dhanushka ranasinghe wrote:
>>
>> Hi guys,
>>
>> im using freeradius with LDAP , and its authentication works fine when
>> i use following configuration.
>>
>>        server = "ldap.home.com"
>>         identity = "cn=admin,dc=home,dc=com"
>>         password = home
>>         basedn = "ou=users,dc=home,dc=com"
>>         filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>>         base_filter = "(objectclass=radiusprofile)"
>>         access_attr = "uid"
>>         authtype = ldap
>>
>> but , then i created the LDAP group, and add the members to that,
>>
>> eg :
>>
>> dn: cn=people,ou=users,dc=home,dc=com
>> objectClass: groupOfNames
>> objectClass: top
>> cn: wso2
>> member: uid=userone,ou=user,dc=home,dc=com
>> member: uid=usertwo,ou=user,dc=home,dc=com
>>
>> , then i change my ldap  config  as follows ,
>>
>>         server = "ldap.home.com"
>>         identity = "cn=admin,dc=home,dc=com"
>>         password = home
>>         basedn = "cn=people,ou=users,dc=home,dc=com"
>>         filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>>         base_filter = "(objectclass=radiusprofile)"
>>         access_attr = "uid"
>>         authtype = ldap
>>
>> but this method is not working  , radius debug output says, user
>> cannot be searched within that group.  ,
>>
>> is there any particular search method that i need use... ?  , what can
>> i do to sort out this problem ?
>
>
> This is all completely wrong. You have told the LDAP module to search for
> all objects, including users, starting from the DN of the group you have
> created.
>
> Set your LDAP back how it was, then uncomment the "groupmembership_filter"
> and "groupname_attribute" in the "ldap" module config, that comes with the
> server by default. It should just work.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list