LDAP Groups to Freeradius and then Ruckus Wireless?

Enrique Sainz Baixauli enriquesainz.beca at intef.educacion.es
Wed May 28 13:09:44 CEST 2014 

>> Hi again,
>> 
>> So I'm now working with version 3.0.3 and I have moved all of my 
>> configs to the new format. I can do, as I did on v2.1.2, group 
>> checking in users file via the Ldap-Group virtual attribute. That's fine,
but it's not what I need.
>> I need the group info to be forwarded to the client, and I'm trying to 
>> do so in mods-available/ldap (symlinked to mods-enabled/). As there is 
>> no ldap.attrmap file and the update section in mods-available/ldap 
>> seems to be for that purpose, I'm mapping attributes there:
>> 
>> reply:Ruckus-User-Groups	:= 'control:memberOf'
>> 
>> Ruckus-User-Groups is defined in a dictionary file for vendor Ruckus. 
>> But any kind of attribute that I think may fit there I have already 
>> tried (memberOf, Ldap-Group, Ldap-Membership...), and no matter what I 
>> try I see a line like this in the debug output:
>> 
>> ldap :  Attribute 'control:memberOf' not found in LDAP Object
>
>*sigh* why could you add control: to the start of memberOf attribute? LDAP
has no idea what lists are.
>
>Use:
>
>update {
>	reply:Ruckus-User-Group += 'memberOf'
>}
>
>Add that and it should work, if it doesn't work post the debug output.

I guess I didn't explain myself enough: I tried with and without control:, I
just posted that option because it was the last one I tried (not really very
confident about getting it to work that way). The only difference between
your line and the ones I tried before is that you used += and I used :=
(which I think should be correct, because that's the only attribute that
should go into Ruckus-User-Group, but I may be wrong again). So now, with
your line I get quite similar debug output:

ldap :  Attribute 'memberOf' not found in LDAP Object

That line happens between processing the only previous attribute
(Password-With-Header) and releasing the connection with OpenLDAP, so I
think there is no more relevant debug output...
 
>> So my question is: how can I have freeradius run the logic behind 
>> Ldap-Group and put that info in the reply? Because if I try it from 
>> users file Ldap-Group is recognized and run, but from ldap config it 
>> just doesn't find the attribute.
>
>Yes.
>
>-Arran

And my question is still how to do it, not whether I can do it or not :)

Thanks again!

More information about the Freeradius-Users mailing list