group authorization and ldap
Brendan Kearney
bpk678 at gmail.com
Tue Jul 9 02:34:03 CEST 2013
list members,
i am working on having radius perform authorization based on group
membership in ldap. i am able to authenticate the user using the
kerberos module, and can attach to ldap using the ldap module. what i
would like to do is have a group in ldap that provides a radiusReplyItem
value, instead of having the radiusReplyItem as a users attribute.
effectively what i am attempting to accomplish is: by placing a user in
the group, the authorization string provided in the radiusReplyItem
would be given to hosts, removing the need to supply the radiusReplyItem
on a per-user basis.
i have found this write up:
http://www.clearfoundation.com/docs/howtos/setting_up_radius_to_use_ldap
but it does not work. i am using freeradius v 2.2.0 on fedora 16, with
openldap 2.4.26 and kerberos5 1.9.4. the device pointing at radius is a
cisco sg300-28. i am able to sign in right now, pointing at kerberos
for auth, and providing the authorization string out of my user object
in ldap. any pointers towards how i can accomplish this would be
appreciated.
thanks in advance,
brendan
More information about the Freeradius-Users
mailing list