LDAP Groups to Freeradius and then Ruckus Wireless?

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed May 28 19:01:00 CEST 2014 

On 28 May 2014, at 17:05, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:

> 
>> What attribute are you using for group membership?  I'm getting reay to do something similar and it strikes me that if memberOF is not in your schema that won't work.
> 
> Not with the update block no, but there are other ways in v3.0.x to do it without memberOf

Ok, OP.

I suspect you've messed up and not uncommented 

group.cache_attribute

Or got a typo in your config. I got no complaints from the server when I tried,
and did not have to add a dictionary entry.

So yes, it works perfectly on my system (thought I don't have the Ruckus attributes, could you send their dictionary over please?)

Received Access-Request Id 134 from 127.0.0.1:53587 to 127.0.0.1:1812 length 29
	User-Name = 'xxxxx'
(0) # Executing section authorize from file /usr/local/freeradius/etc/raddb/sites-enabled/default
(0)   authorize {
rlm_ldap (ldap): Reserved connection (4)
(0)  ldap : EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0)  ldap :    --> (uid=xxxxx)
(0)  ldap : EXPAND ou=people,dc=networkradius,dc=com
(0)  ldap :    --> ou=people,dc=networkradius,dc=com
(0)  ldap : Performing search in 'ou=people,dc=networkradius,dc=com' with filter '(uid=xxxxx)', scope 'sub'
(0)  ldap : Waiting for search result...
(0)  ldap : User object found at DN "cn=Arran Cudbard-Bell,ou=people,dc=networkradius,dc=com"
(0)  ldap : No cacheable group memberships found in user object
(0)  ldap : EXPAND (&(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
(0)  ldap :    --> (&(objectClass=posixGroup)(|(member=cn\3dArran Cudbard-Bell\2cou\3dpeople\2cdc\3dnetworkradius\2cdc\3dcom)(memberUid=xxxxx)))
(0)  ldap : EXPAND ou=groups,dc=networkradius,dc=com
(0)  ldap :    --> ou=groups,dc=networkradius,dc=com
(0)  ldap : Performing search in 'ou=groups,dc=networkradius,dc=com' with filter '(&(objectClass=posixGroup)(|(member=cn\3dArran Cudbard-Bell\2cou\3dpeople\2cdc\3dnetworkradius\2cdc\3dcom)(memberUid=xxxxx)))', scope 'sub'
(0)  ldap : Waiting for search result...
(0)  ldap : Added control:LDAP-Cached-Membership with value "admin"
(0)  ldap : Added control:LDAP-Cached-Membership with value "networkradius"
(0)  ldap : Processing user attributes
(0)  ldap : 	control:Password-With-Header += 'xxxxxx'
rlm_ldap (ldap): Released connection (4)
(0)   [ldap] = ok
(0)   foreach &control:LDAP-Cached-Membership 
(0)    #  Foreach-Variable-0 = "admin"
(0)    update reply {
(0) EXPAND %{Foreach-Variable-0}
(0)    --> admin
(0) 	Reply-Message += "admin"
(0)    } # update reply = noop
(0)    #  Foreach-Variable-0 = "networkradius"
(0)    update reply {
(0) EXPAND %{Foreach-Variable-0}
(0)    --> networkradius
(0) 	Reply-Message += "networkradius"
(0)    } # update reply = noop
(0)   } # foreach &control:LDAP-Cached-Membership = noop
(0)   update control {
(0) 	Auth-Type := Accept
(0)   } # update control = noop
(0)  } #  authorize = ok
(0) Found Auth-Type = Accept
(0) Auth-Type = Accept, accepting the user
(0) # Executing section post-auth from file /usr/local/freeradius/etc/raddb/sites-enabled/default
(0)   post-auth {
(0)   [exec] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)     if (reply:EAP-Message && reply:Reply-Message) 
(0)     if (reply:EAP-Message && reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } #  post-auth = noop
Sending Access-Accept Id 134 from 127.0.0.1:1812 to 127.0.0.1:53587
	Reply-Message += 'admin'
	Reply-Message += 'networkradius'
(0) Finished request

Note it's searching for group object as it is with your setup.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140528/5dc0aee1/attachment.pgp>

More information about the Freeradius-Users mailing list