LDAP groups and profiles

Chris Taylor Chris.Taylor at corp.eastlink.ca
Tue Feb 5 16:50:03 CET 2013 

>  
> 
> I have RADIUS running with multiple realms and multiple LDAP back ends 
> that stores all my user attributes. I am trying to apply different 
> user profiles to different groups. What I did was setup the profile in 
> the USERS file, add the group attributes to the ldap config file, and 
> on the user’s LDAP account I added the attribute radiusGroupName with 
> the value “residential_profile”,  but I can’t seem to get it to work correctly.

  The debug output is pretty clear.  It does an LDAP search, and the object isn't found.

  Make sure that (a) the object is in LDAP, and (b) you've configured FreeRADIUS to do the right LDAP search.

> It
> doesn’t seem to query the correct backend.

  For backend-specific queries, prefix the LDAP-Group with the backend name:

> ldap ldap2.REALM-2.ca { 
>         basedn = "ou=radius,o=REALM-2.ca,dc=container,dc=ca"

  To query this backend, use "ldap2.REALM-2.ca-LDAP-Group == ..."

  Alan DeKok.


Alan I tried the setup that you suggested but it just threw an error at me.

I added this to the users file

DEFAULT ldap1.REALM-2.ca-Ldap-Group == residential_profile

But I get this error when I fire up radius -X


/etc/raddb/users[222]: Parse error (check) for entry DEFAULT: expecting operator
Errors reading /etc/raddb/users


Thanks,

Chris
-----Original Message-----
From: freeradius-users-bounces+chris.taylor=corp.eastlink.ca at lists.freeradius.org [mailto:freeradius-users-bounces+chris.taylor=corp.eastlink.ca at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Monday, February 04, 2013 3:51 PM
To: FreeRadius users mailing list
Subject: Re: LDAP groups and profiles

Chris Taylor wrote:
>  
> 
> I have RADIUS running with multiple realms and multiple LDAP back ends 
> that stores all my user attributes. I am trying to apply different 
> user profiles to different groups. What I did was setup the profile in 
> the USERS file, add the group attributes to the ldap config file, and 
> on the user’s LDAP account I added the attribute radiusGroupName with 
> the value “residential_profile”,  but I can’t seem to get it to work correctly.

  The debug output is pretty clear.  It does an LDAP search, and the object isn't found.

  Make sure that (a) the object is in LDAP, and (b) you've configured FreeRADIUS to do the right LDAP search.

> It
> doesn’t seem to query the correct backend.

  For backend-specific queries, prefix the LDAP-Group with the backend name:

> ldap ldap2.REALM-2.ca { 
>         basedn = "ou=radius,o=REALM-2.ca,dc=container,dc=ca"

  To query this backend, use "ldap2.REALM-2.ca-LDAP-Group == ..."

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list