Radius authentication against LDAP question

g17jimmy g17jimmy at gmail.com
Thu May 31 22:27:51 CEST 2012

Nick- I have found that we can use any attribute for the access, but I'm
trying to expand our use of radius for another type of user login. In this
case I've created an LDAP group for the new user role and have created a new
radius virtual server to service the specific authentication and accounting.
I have added the group membership checking to the ldap module, and set
thefilter for posixGroup. The meaningful config changes and output are

===============/etc/raddb/modules/ldap (excerpt)
groupname_attribute = cn
groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))"

DEFAULT   LDAP-Group!="newgroup", Auth-Type:=Reject
   Reply-Message="You are not allowed to connect"
===============radiusd -X (excerpt)
[files]         expand: (&(objectclass=posixGroup)(memberUid=%u)) ->
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in cn=accounts,dc=abc,dc=xyz, with filter
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group newgroup not found or user is not a member.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Reject

===============ldapsearch output
# newgroup, groups, accounts, abc.xyz
dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ldapusergroup
objectClass: ldapobject
objectClass: posixgroup
cn: newgroup
description: new group
gidNumber: 895800006
ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7
member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz

View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713481.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list