LDAP Groups to Freeradius and then Ruckus Wireless?

Jefferson Davis jdavis at standard.k12.ca.us
Wed May 28 17:57:27 CEST 2014

>> Hi again, 
>> So I'm now working with version 3.0.3 and I have moved all of my 
>> configs to the new format. I can do, as I did on v2.1.2, group 
>> checking in users file via the Ldap-Group virtual attribute. That's fine, 
but it's not what I need. 
>> I need the group info to be forwarded to the client, and I'm trying to 
>> do so in mods-available/ldap (symlinked to mods-enabled/). As there is 
>> no ldap.attrmap file and the update section in mods-available/ldap 
>> seems to be for that purpose, I'm mapping attributes there: 
>> reply:Ruckus-User-Groups := 'control:memberOf' 
>> Ruckus-User-Groups is defined in a dictionary file for vendor Ruckus. 
>> But any kind of attribute that I think may fit there I have already 
>> tried (memberOf, Ldap-Group, Ldap-Membership...), and no matter what I 
>> try I see a line like this in the debug output: 
>> ldap : Attribute 'control:memberOf' not found in LDAP Object 
>*sigh* why could you add control: to the start of memberOf attribute? LDAP 
has no idea what lists are. 
>update { 
> reply:Ruckus-User-Group += 'memberOf' 
>Add that and it should work, if it doesn't work post the debug output. 

I guess I didn't explain myself enough: I tried with and without control:, I 
just posted that option because it was the last one I tried (not really very 
confident about getting it to work that way). The only difference between 
your line and the ones I tried before is that you used += and I used := 
(which I think should be correct, because that's the only attribute that 
should go into Ruckus-User-Group, but I may be wrong again). So now, with 
your line I get quite similar debug output: 

ldap : Attribute 'memberOf' not found in LDAP Object 

That line happens between processing the only previous attribute 
(Password-With-Header) and releasing the connection with OpenLDAP, so I 
think there is no more relevant debug output... 

>> So my question is: how can I have freeradius run the logic behind 
>> Ldap-Group and put that info in the reply? Because if I try it from 
>> users file Ldap-Group is recognized and run, but from ldap config it 
>> just doesn't find the attribute. 

And my question is still how to do it, not whether I can do it or not :) 

Thanks again! 

What attribute are you using for group membership? I'm getting reay to do something similar and it strikes me that if memberOF is not in your schema that won't work. 

If you're using RFC2307 you may have to set up a second filter condition for group membership resolution. 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 


Jefferson K Davis 
Technology and Information Systems Manager 
Standard School District 
1200 North Chester Ave 
Bakersfield, CA 93308 
661.392.2110 ext 120 (office) 

District Users: Click here to report technology issues 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140528/290d6d54/attachment.html>

More information about the Freeradius-Users mailing list