group authorization and ldap

Brendan Kearney bpk678 at
Tue Jul 9 02:34:03 CEST 2013

list members,

i am working on having radius perform authorization based on group
membership in ldap.  i am able to authenticate the user using the
kerberos module, and can attach to ldap using the ldap module.  what i
would like to do is have a group in ldap that provides a radiusReplyItem
value, instead of having the radiusReplyItem as a users attribute.
effectively what i am attempting to accomplish is: by placing a user in
the group, the authorization string provided in the radiusReplyItem
would be given to hosts, removing the need to supply the radiusReplyItem
on a per-user basis.

i have found this write up:
but it does not work.  i am using freeradius v 2.2.0 on fedora 16, with
openldap 2.4.26 and kerberos5 1.9.4.  the device pointing at radius is a
cisco sg300-28.  i am able to sign in right now, pointing at kerberos
for auth, and providing the authorization string out of my user object
in ldap.  any pointers towards how i can accomplish this would be

thanks in advance,


More information about the Freeradius-Users mailing list