group authorization

Alan DeKok aland at deployingradius.com
Wed Mar 26 03:41:45 CET 2014


Brendan Kearney wrote:
>>   Why?  The "filter" configuration item is the *only* place where the
>> LDAP "uid" search string is set.  Editing anything else won't help.
> the uid vs dn may not be the issue (or at least not the only issue).

  Pick one problem at a time and solve it.  You said you wanted a search
string which was more than "uid=...".  I told you how to get that.  Try it.

  The problem will be fixed, and you can move on to the next problem.
Or, you can ask for more help to solve the uid / filter problem.

  You WILL NOT do anything useful by randomly switching between 5
separate issues.  Only a consistent approach will fix anything.  See
"man radiusd" for more on this topic.

>>   Read the documentation and configure it as required.
> i did and its vague.

  The configuration items in raddb/modules/ldap are extensively
documented.  Do you have a SPECIFIC question?  If so, why not ask it?

>  also its contradicted by what is on the freeradius
> site, which googling around turns up.

  i.e. "stuff is wrong".  WHAT is wrong?  Where?

  You're again being as vague as possible.  This isn't helpful.

  You did post the debug output in your first message, which was nice:

Debug:
  [ldap] performing search in dc=bpk2,dc=com, with filter (uid=brendan)

You:
the actual member "value" in the group is the "long"
version of the uid (uid=brendan,ou=Users,dc=bpk2,dc=com).  is there
something i can do to use the "long" version?

Me:
  Edit the "filter" configuration in raddb/modules/ldap

You:
  It doesn't work.


  Uh... that is a completely useless response.  Yes, it does work.  Many
other people get LDAP filters working.  They just edit the configuration
item I said.

  So... did you *try*?  WHAT did you try?  Is it a secret?  Why didn't
you post the debug output to the list?

> where do i find the different variables that are referenced
> (Stripped-User-Name, User-Name, control:Ldap-UserDn, etc)?

  Those are RADIUS attributes.  Go to wiki.freeradius.org, and type
"ldap" into the search box.  Hit <enter>.  Click on the first link.  The
LDAP-UserDn attribute is documented there.

  User-Name is a standard RADIUS attribute.  Read the specs to see what
it is.  Really... we are NOT going to document every one of 8000 RADIUS
attributes.  That's ridiculous.

  Stripped-User-Name is ... the User-Name, stripped of a realm.  Read
the debug output to see what's going on.

>  where is the
> documentation around what %{%{Stripped-User-Name}:-%{User-Name}} does

$ man unlang

  Which is referenced from the top comments on radiusd.conf.

>  vs
> %{%{control:Ldap-UserDn}:-%{control:Ldap-UserDn}} (which does not seem
> to work anyway)

  If you had read the documentation, you'd understand that the above
text makes zero sense.

  And see the FAQ for "it doesn't work".  Really.

> yes, and a bunch of stuff is all that can be tried/done when no real,
> comprehensive howtos exist on how to do this.

  Go to wiki.freeradius.org, and type "ldap" into the search box.  Hit
<enter>.  Click on the first link.

> http://www.clearfoundation.com/docs/howtos/setting_up_radius_to_use_ldap
> is the best i have found, and it does not work, is outdated or does not
> do everything i am looking for.

  Yeah... third-party documentation that's 10 years old is preferable to
reading the official FreeRADIUS Wiki, or the comments in the
configuration files.

  The FreeRADIUS documentation isn't perfect.  But this is your third
message complaining about it... with little to no content.

  If all you say is "you guys suck", you won't solve the problem.

  If you have *specific* and TECHNICAL questions, we can answer them.
All it requires is for you to ask GOOD questions, with CONTENT.

  It's up to you.  Choose to ask useful questions, and you will get
useful answers.

  Alan DeKok.


More information about the Freeradius-Users mailing list