LDAP Groups to Freeradius and then Ruckus Wireless?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri May 23 12:45:19 CEST 2014

On 23 May 2014, at 11:23, Enrique Sainz Baixauli <enriquesainz.beca at intef.educacion.es> wrote:

> Hello there,
> I’m trying to deploy a FreeRadius server with OpenLDAP. To this end, both are working properly and communicate with each other successfully. I have LDAP groups set up so users belong to a group and I can check from freeradius’ users file if a user belongs to a group (and, for example, deny access to all users belonging to a certain group). I must say that, if I enable group checking in users file, I can see rlm_ldap debug info about it searching for group information; but if it’s not enabled it doesn’t search for groups.
> The issue here is that the server will be used to authenticate wifi users from a Ruckus ZoneDirector device, which defines roles and assigns roles to the users depending on the groups that the users belong to. This works flawlessly when authenticating against LDAP itself, but if freeradius stands in the middle the group info gets lost somewhere. I know that freeradius can access Ldap-Group variable and know which group the user belongs to, but I’d like it to forward that info to the ZoneDirector (who is actually performing the authentication request against freeradius), so that it can assign the role properly.

There is no LDAP-Group attribute :).

It's virtual, it'a actually translates to a function call in the rlm_ldap module, which runs a bunch of extra logic and queries to check whether a member is a particular group.

> The LDAP database is set up with two OUs, users and groups, and users being of objectClass inetOrgPerson and groups being groupOfNames. In freeradius, ldap config is mostly default except for server, identity, etc, but with these group-related parameters:
> groupname_attribute = cn
> groupmembership_filter = (&(objectClass=groupOfNames)(member=%{control:Ldap-UserDn}))
> groupmembership_attribute = member # (also tried with memberOf, radiusGroup, radiusGroupName and several others) 
> And, about the server, it is running Debian 7.5, OpenLDAP 2.4.31 and freeradius 2.1.12 (default packages from debian). I can provide any other info that you need :)

You should be able to use the attrmap file to map memberOf or whatever membership attribute you use to a reply attribute.

Else upgrade to 3.0.3 and use the cached group info toggles.


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140523/bca34100/attachment.pgp>

More information about the Freeradius-Users mailing list