dynamic expansion will not be dynamically expanded in ldap configuration
Angel L. Mateo
amateo at um.es
Thu Apr 23 09:23:40 CEST 2015
El 23/04/15 a las 08:39, Angel L. Mateo escribió:
> El 22/04/15 a las 14:47, Arran Cudbard-Bell escribió:
>
>>> It shouldn't be a hard failure unless you're using v3.1.x.
>>>
>>> Make sure you're building from v3.0.x where it should just be a warning.
>>
>> Or I guess you were previously building from. I though't we'd made
>> this a non fatal error, due the likelihood that places would be missed...
>>
> I have built it from source v3.0.7.
>
> My problem is that although it's a warning, my ldap configuration
> does not make any ldap search for groups.
>
I have seen that 3.0.8 has already been released, so I have upgraded
(in my test environment).
Now I don't have the "dynamic expansion..." error, but ldap module is
still not searching for groups.
In my ldap I have my users and groups with a posix schema. Primary
group of the user are in the gidNumber attribute of the user. This group
has a posixGroup entry in the ldap. In this entry there are memberUid
attributes for the users belonging to the group (but this is not its
primary group).
So, in my ldap module configuration I have:
group {
base_dn = '<my base dn>'
filter = '(objectClass=posixGroup)'
name_attribute = gidNumber
membership_filter =
"(|(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectClass=posixAccount))(&(objectClass=posixGroup)(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))
membership_attribute = 'uid'
}
and in the site configuration:
authorize {
preprocess
suffix
files
ldap
mschap
pap
expiration
}
Then, in my users file I have something like:
DEFAULT Realm == um.es, Ldap-Group == 1001, Auth-Type := Reject
Reply-Message = "..."
Fall-Through = No
DEFAULT Realm == um.es
Fall-Through = No
but, radius never make any search to match the group of the users.
Any idea?
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información
y las Comunicaciones Aplicadas (ATICA)
http://www.um.es/atica
Tfo: 868887590
Fax: 868888337
More information about the Freeradius-Users
mailing list