Radius authentication against LDAP question
g17jimmy
g17jimmy at gmail.com
Thu May 31 22:27:51 CEST 2012
Nick- I have found that we can use any attribute for the access, but I'm
trying to expand our use of radius for another type of user login. In this
case I've created an LDAP group for the new user role and have created a new
radius virtual server to service the specific authentication and accounting.
I have added the group membership checking to the ldap module, and set
thefilter for posixGroup. The meaningful config changes and output are
below-
===============/etc/raddb/modules/ldap (excerpt)
groupname_attribute = cn
groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))"
===============/etc/raddb/users
DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject
Reply-Message="You are not allowed to connect"
===============radiusd -X (excerpt)
[files] expand: (&(objectclass=posixGroup)(memberUid=%u)) ->
(&(objectclass=posixGroup)(memberUid=newhuser))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in cn=accounts,dc=abc,dc=xyz, with filter
(&(cn=newgroup)(&(objectclass=posixGroup)(memberUid=newuser)))
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group newgroup not found or user is not a member.
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Reject
===============ldapsearch output
# newgroup, groups, accounts, abc.xyz
dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ldapusergroup
objectClass: ldapobject
objectClass: posixgroup
cn: newgroup
description: new group
gidNumber: 895800006
ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7
member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz
--
View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713481.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list