LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Fri May 23 12:23:06 CEST 2014


Hello there,

 

I'm trying to deploy a FreeRadius server with OpenLDAP. To this end, both
are working properly and communicate with each other successfully. I have
LDAP groups set up so users belong to a group and I can check from
freeradius' users file if a user belongs to a group (and, for example, deny
access to all users belonging to a certain group). I must say that, if I
enable group checking in users file, I can see rlm_ldap debug info about it
searching for group information; but if it's not enabled it doesn't search
for groups.

 

The issue here is that the server will be used to authenticate wifi users
from a Ruckus ZoneDirector device, which defines roles and assigns roles to
the users depending on the groups that the users belong to. This works
flawlessly when authenticating against LDAP itself, but if freeradius stands
in the middle the group info gets lost somewhere. I know that freeradius can
access Ldap-Group variable and know which group the user belongs to, but I'd
like it to forward that info to the ZoneDirector (who is actually performing
the authentication request against freeradius), so that it can assign the
role properly.

 

The LDAP database is set up with two OUs, users and groups, and users being
of objectClass inetOrgPerson and groups being groupOfNames. In freeradius,
ldap config is mostly default except for server, identity, etc, but with
these group-related parameters:

groupname_attribute = cn

groupmembership_filter =
(&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))

groupmembership_attribute = member # (also tried with memberOf, radiusGroup,
radiusGroupName and several others)

 

And, about the server, it is running Debian 7.5, OpenLDAP 2.4.31 and
freeradius 2.1.12 (default packages from debian). I can provide any other
info that you need :)

 

Thanks everyone in advance!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140523/4d72a1ae/attachment.html>


More information about the Freeradius-Users mailing list