Authenticating users on LDAP based on Group name

Jose Torres-Berrocal jetsystemservices at gmail.com
Thu Mar 26 03:20:06 CET 2015


I have setup the group in groupmembership_attribute as a naive intent to
accomplish my goal.  If that is not the correct parameter I will really
appreciate your help on where I should set my Group and the syntax.

On my first email I included my LDAP.conf file as generated by pfsense.

I think is closed as needed because I was successful matching user/pass
with AD when group membership_attribute is default, but for all Users.  Now
I need to change it to consider the Group.

For now I only need to identify only one Group.  I am using FreeRadius for
a Squid proxy server then the User is used on Dansguardian.
On Mar 25, 2015 7:21 PM, "Ben Humpert" <ben at an3k.de> wrote:

> 2015-03-25 22:26 GMT+01:00 Jose Torres-Berrocal <
> jetsystemservices at gmail.com>:
> > I do not think what I need is nonstandard.
> >
> > Let me explain my need in non technical way.  I need the users to enter
> > username and password. Compare the username/password against Active
> > Directory, then extract the Groups the user belong to and compare/verify
> it
> > includes the Group   set up in Radius LDAP config. If match pass, else
> > reject.
>
> Where in the Radius LDAP config did you set up the Group? In
> groupmembership_attribute?
>
> Have you already modified the groupmembership_filter to match your MS AD
> schema?
>
> Do you only want to authenticate users in the group InternetAccess
> with Radius or also users of other groups?
>
> > Maybe this can be done with any combination of the normal filter,  base
> > filter, group membership filter, group attribute, etc.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list