Howto group Users authenticated with ldap

Mon Mar 17 14:46:02 CET 2014

Hi,

I had accidentally send this mail only to Alan...

thanks for your quick reply - really appreciate the great work around
freeradius.
I'm still not getting things the way I'd like to so I thought I'd ask:

I extended dictionary:
# for local group definitions to work (rlm_passwd)
ATTRIBUTE      My-Group                3000    string

added the rlm_passwd (btw. there is a small typo in rlm_files in the
Description section when referencing rlm_passwd (it says rlm_passed)) to
radiusd.conf

passwd groups {
filename = /etc/raddb/groups
format = "My-Group:*,User-Name"
hashsize = 50
ignorenislike = yes
allowmultiplekeys = yes
delimiter = ":"
        }

I setup the groups file:
testop:diehm-adm

and it actually does get added. From debug output:
Mon Mar 17 09:02:05 2014 : Info: [groups] Added My-Group: 'testop' to
config_items

my problem is this Attribute seems not to match in the users file where I
have this line:

DEFAULT  Auth-Type := LDAP, My-Group == testop, Huntgroup-Name == cyclades
Service-Type = Administrative-User,
Framed-Filter-Id =  ":group_name=admin;",

from the -X debug output:
Mon Mar 17 14:42:34 2014 : Info: [groups] Added My-Group: 'testop' to
config_items

but files says:
Mon Mar 17 14:42:34 2014 : Info: [files] users: Matched entry DEFAULT at
line 181
Mon Mar 17 14:42:34 2014 : Info: ++[files] returns ok

line 181 is the default reject entry.
# On no match, the user is denied access.
DEFAULT  Auth-Type := Reject
                Reply-Message = "Your account has been disabled for this
operation."

I thought that being added to config_items means that I can actually check
against this value? Any hints?

Thanks in advance,
Mischa

--
Mischa Diehm | Network Operations Center (NOC)
UniBasel | UniRechenZentrum (URZ)
Klingebergstr. 70 | CH-4056 Basel
Tel. +41 61 267 2273 | http://urz.unibas.ch <http://urz.unibas.ch/>

-- 
Mischa Diehm | Network Operations Center (NOC)
UniBasel | UniRechenZentrum (URZ)
Klingebergstr. 70 | CH-4056 Basel
Tel. +41 61 267 1574 | http://urz.unibas.ch

On 15.03.14 13:59, "Alan DeKok" <aland at deployingradius.com> wrote:

> Mischa Diehm wrote:
>>  we are authenticating users via ldap but don't have group attributes in
>>  ldap. Is there a way to define groups within radius itself so that I can
>>  actually use these groups in the users file like:
> 
>   Yes.  See "man rlm_passwd".  It gives detailed instructions for
> configuring groups.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140317/0f69ff4d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2202 bytes
Desc: not available
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140317/0f69ff4d/attachment-0001.bin>