LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Mon May 26 11:53:22 CEST 2014

>>> You should be able to use the attrmap file to map memberOf or 
>>> whatever
>> membership attribute you use to a reply attribute.
>> So I included in /usr/share/freeradius/dictionary a new 
>> dictionary.ruckus file with vendor information for Ruckus that defines 
>> the attribute to be
>> returned:
>> [...]
>> ATTRIBUTE	Ruckus-User-Groups	1	string
>> [...]
>> And a new line in ldap.attrmap to reply that attribute:
>> replyItem	Ruckus-User-Groups	member
>> member being the groupmember_attribute set in modules/ldap, and also 
>> the attribute name in LDAP that makes membership effective.
>> But the result is the same, no additional debug output in radiusd -XXX 
>> or when testing a user authentication with radtest. Am I doing 
>> anything wrong here?
>Nope, trace the LDAP conversation with wireshark and see what's being
requested and returned.

So I'm capturing the whole conversation but I can't see anything useful:
there is a first searchRequest for the user being authenticated, then a
successful searchResEntry with the user's DN but no additional attributes
and finally a successful searchResDone. Then there is another searchRequest
for the group check that I have in the users file (but that is unrelated to
the problem: it is only there to check that the group filter works
correctly), its searchResEntry with info about the group that the user is
being checked against and another successful searchResDone. Aside from
those, bindRequests and such packets are also captured.

All of that is happening with the additional entry in the dictionary and the
additional line in ldap.attrmap that I described in my previous email, so I
am kind of lost. What am I missing here? Should I configure anything else?

Thanks again!

More information about the Freeradius-Users mailing list