FR 3.0.1 and LDAP group membership

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue May 27 21:37:07 CEST 2014


> backing up a bit...
> 
> users, groups and profiles.
> 
> i want to have a group that i add users to, and when users are added to
> that group, they inherit radius attributes which allow them access to a
> resource.  the means would be the value of a radiusreplyitem.
> 
> i have created a user, uid=brendan,ou=Domain
> Users,ou=Users,dc=bpk2,dc=com
> i have created a group, cn=netEngineers,ou=Domain
> Groups,ou=Groups,dc=bpk2,dc=com
> i have created a profile,
> cn=netReadWrite,cn=radius,ou=Daemons,dc=bpk2,dc=com
> the profile has a radiusreplyitem with a value of Cisco-AVPair =
> "shell:priv-lvl=15"
> 
> how do i go about tying group membership to the profile (or vice versa,
> if that is what i am supposed to do)?
> 
> i have uncommented the attribute line in the profile section, and
> changed its value to memberOf.  i see in a capture that the groups i am
> a member of are queried for the radiusprofile objectclass.  the
> netEngineers group has that objectclass and a radiusprofiledn attribute
> pointing to the profile that has the radiusreplyitem.  i do not see the
> query for the profile or the radiusreplyitem string in the radiusd -X
> output or in the radtest output.  what are the appropriate ways of tying
> this all together?

Without code patches you'd need to add radiusreplyItem attributes directly
to the groups objects. The group objects and the profile objects would be 
one and the same.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140527/f563c4fc/attachment.pgp>


More information about the Freeradius-Users mailing list