LDAP Groups to Freeradius and then Ruckus Wireless?

[Arran Cudbard-Bell]

On 28 May 2014, at 12:36, Enrique Sainz Baixauli <enriquesainz.beca at intef.educacion.es> wrote:

>>> ldap :  Attribute 'memberOf' not found in LDAP Object
>> 
>> Then your user object contains no memberOf attributes, or your LDAP ACLs
> are incorrect and preventing the memberOf attributes of user objects from
> being accessed.
>> 
>> -Arran
> 
> That's right, my user doesn't contain any memberOf attributes because I got
> groups to work (via the users file) with member attributes in the groups, so
> the users themselves don't have any attributes referring to the groups: the
> groups contain attributes referring to the users. Would it be more correct
> to make the users belong to the group by adding memberOf attributes to the
> user objetcts, instead of using member attributes in the group objects?

Ah OK, sorry somehow I missed that.

In that case remove the update entry for Ruckus-User-Group

Then set:

group.cacheable_name = yes

Uncomment:

cache_attribute = 'LDAP-Cached-Membership'

Then in authorize:

ldap
foreach &LDAP-Cached-Membership {
	update reply {
		Ruckus-User-Group += "%{Foreach-Variable-0}"	
	}
}

In theory that should work. I'll be very interested to see if it does.

You should see a bunch of debug scrolling by saying it's adding 
control:LDAP-Cached-Membership for each of the groups a user is a member of.

As an added bonus you can also use the rlm_cache module to cache these
memberships so you don't hit LDAP every time.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140528/53dd7131/attachment.pgp>