FR 3.0.1 and LDAP group membership
Brendan Kearney
bpk678 at gmail.com
Tue May 27 22:18:15 CEST 2014
On Tue, 2014-05-27 at 20:37 +0100, Arran Cudbard-Bell wrote:
> Without code patches you'd need to add radiusreplyItem attributes directly
> to the groups objects. The group objects and the profile objects would be
> one and the same.
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
what you say contradicts what you have stated previously:
Groups don't return replyItems only profiles do. Groups are only
used for checking membership, they cannot contain attributes themselves.
Note that your profile attribute could be the same as your group
attribute i.e. memberOf, in which case you'd just need to add the
group objects to the radiusprofile object.
am i to understand that 3.0.3 changes things or have i again missed
something important?
originally, i had the group configured with the objectclass and the
radiusreplyitem attribute, and that did not provide the authorization
string in the reply. without undoing the radiusprofiledn and the
radiusprofile existing elsewhere in the directory, i added back the
radiusreplyitem to the group and tested with radtest. i do not see the
string in the reply from radiusd.
as soon as i see the 3.0.3 update in the fedora repos, i will be
updating to it. maybe that will clear up some of these loose ends.
More information about the Freeradius-Users
mailing list