group authorization

Brendan Kearney bpk678 at gmail.com
Wed Mar 26 00:34:39 CET 2014


On Tue, 2014-03-25 at 15:46 -0400, Alan DeKok wrote:
> Brendan Kearney wrote:
> > i want to have the radiusReplyItem given in a reply when the user is a
> > member of a specific group in ldap, but i seem to be having trouble with
> > that.  it seems that when the ldap query is made for the group
> > membership, the "short" version of the uid (uid=brendan) is being used
> > and not matching.  the actual member "value" in the group is the "long"
> > version of the uid (uid=brendan,ou=Users,dc=bpk2,dc=com).  is there
> > something i can do to use the "long" version?
> 
>   Edit raddb/modules/ldap to use the DN you want:
> 
>  	filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
> 
>   The configuration files are editable for a reason.  Edit them.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

i have edited that file, and played with everything i can think of, or
can find to try getting this working.  hence my question here.

for some reason the radiusReplyItem specified as an attribute of the
groupOfNames is not being returned to the radius instance:

[ldap] looking for reply items in directory...
...

the output should be:

[ldap] looking for reply items in directory...
  [ldap] extracted attribute Cisco-AVPair from generic item Cisco-AVPair
= "shell:priv-lvl=15"
...

i dont know what i should be changing to have the correct query done
from the radius side, so that ldap responds with what it already is
configured to respond with.



More information about the Freeradius-Users mailing list