What happens if you do this. Add the following to ldap.attrmap
checkItem Pool-Name supannaffectation Then remove all those users file entries with Ldap-Group, so it just does an LDAP lookup, not specifically matching on groups. This should pool the supannafecction attribute from ldap and make that the Pool-Name check item, which should then fire ippool. -Dusty Doris On Thu, 18 Nov 2004, LALOT Dominique wrote: > Thanks for all, because it's starting to work. > > But: I noticed that I call ldap for each group before founding the right > one. An for me the group name is just an ldap attr to read. > Then when finding the group, for the IP pool, I have to read all the > pools even when it return ok. > > Hopefully, I have less than 10 groupes!. groupmembership is > supannaffectation. > > Is there something else to do?. > > Thanks > > dom > > users: > DEFAULT Ldap-Group == IUT, Pool-Name := "IUT_pool" > Service-Type == Framed-User, > Fall-Through = no > > DEFAULT Ldap-Group == Medecine, Pool-Name := "Medecine_pool" > Service-Type == Framed-User, > Fall-Through = no > > DEFAULT Ldap-Group == ESIL, Pool-Name := "Esil_pool" > Service-Type == Framed-User, > Fall-Through = no > > DEFAULT Ldap-Group == Pharo, Pool-Name := "Pharo_pool" > Service-Type == Framed-User, > Fall-Through = no > > DEFAULT Ldap-Group == Sciences, Pool-Name := "Sciences_pool" > Service-Type == Framed-User, > Fall-Through = no > > DEFAULT Ldap-Group == Pharmacie, Pool-Name := "Pharmacie_pool" > Service-Type == Framed-User, > Fall-Through = no > > DEFAULT Ldap-Group == OSU, Pool-Name := "OSU_pool" > Service-Type == Framed-User, > Fall-Through = no > > DEFAULT Ldap-Group == IM2, Pool-Name := "IM2_pool" > Service-Type == Framed-User, > Fall-Through = no > > DEFAULT Ldap-Group == STAPS, Pool-Name := "STAPS_pool" > Service-Type == Framed-User, > Fall-Through = no > > > > rlm_ldap: user fred authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 2 > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' > radius_xlat: '(uid=fred)' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with > filter (&(supannaffectation=ScEco)(uid=fred)) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, > with filter (objectclass=*) > rlm_ldap::groupcmp: Group ScEco not found ????or user not a member > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' > radius_xlat: '(uid=fred)' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with > filter (&(supannaffectation=IUT)(uid=fred)) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, > with filter (objectclass=*) > rlm_ldap::groupcmp: Group IUT not found ????or user not a member > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' > radius_xlat: '(uid=fred)' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with > filter (&(supannaffectation=Medecine)(uid=fred)) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, > with filter (objectclass=*) > rlm_ldap::groupcmp: Group Medecine not found ????or user not a member > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=people,ou=u2,dc=univ-mrs,dc=fr' > radius_xlat: '(uid=fred)' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with > filter (&(supannaffectation=ESIL)(uid=fred)) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, > with filter (objectclass=*) > rlm_ldap::groupcmp: Group ESIL not found ????or user not a member > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=people,ou=u2,dc=univ,dc=fr' > radius_xlat: '(uid=fred)' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with > filter (&(supannaffectation=Pharo)(uid=fred)) > rlm_ldap: object not found or got ambiguous search result > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in uid=fred,ou=people,ou=u2,dc=univ,dc=fr, > with filter (objectclass=*) > rlm_ldap::groupcmp: Group Pharo not found ????or user not a member > rlm_ldap: ldap_release_conn: Release Id: 0 > rlm_ldap: Entering ldap_groupcmp() > radius_xlat: 'ou=people,ou=u2,dc=univ,dc=fr' > radius_xlat: '(uid=fred)' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=people,ou=u2,dc=univ,dc=fr, with > filter (&(supannaffectation=Sciences)(uid=fred)) > rlm_ldap::ldap_groupcmp: User found in group Sciences > rlm_ldap: ldap_release_conn: Release Id: 0 > > > modcall: entering group post-auth for request 2 > modcall[post-auth]: module "ScEco_pool" returns noop for request 2 > modcall[post-auth]: module "IUT_pool" returns noop for request 2 > modcall[post-auth]: module "Medecine_pool" returns noop for request 2 > modcall[post-auth]: module "Esil_pool" returns noop for request 2 > modcall[post-auth]: module "Pharo_pool" returns noop for request 2 > rlm_ippool: Searching for an entry for nas/port: 255.255.255.255/1813 > rlm_ippool: Found a stale entry for ip/port: 139.124.210.71/1813 > rlm_ippool: num: 0 > rlm_ippool: Searching for an entry for nas/port: 255.255.255.255/1813 > rlm_ippool: Allocating ip to nas/port: 255.255.255.255/1813 > rlm_ippool: num: 1 > rlm_ippool: Allocated ip 139.124.210.55 to client on nas > 255.255.255.255,port 1813 > modcall[post-auth]: module "Sciences_pool" returns ok for request 2 > modcall[post-auth]: module "Pharmacie_pool" returns noop for request 2 > modcall[post-auth]: module "OSU_pool" returns noop for request 2 > modcall[post-auth]: module "IM2_pool" returns noop for request 2 > modcall[post-auth]: module "STAPS_pool" returns noop for request 2 > modcall[post-auth]: module "DEF_pool" returns noop for request 2 > modcall: group post-auth returns ok for request 2 > > > > > > > > >> You'll still need to configure the ippool modules and include those > >> in the > >> accounting section and post-auth section. Forgot to include that in the > >> last email. A radiusd -X will show you exactly what is going on. If it > >> doesn't work, please post that to the list will all output. > >> > >> ie: > >> > >> accounting { > >> ... > >> u2labo > >> u3labo > >> ... > >> } > >> > >> post_auth { > >> ... > >> u2labo > >> u3labo > >> ... > >> } > >> > >> On Wed, 17 Nov 2004, LALOT Dominique wrote: > >> > >> > >> > >>> Thanks, > >>> > >>> I have to leave, but the quick and last test I did with your advice, > >>> gave me bad results. See tomorrow.. > >>> Using radtest, I don't get any IP, and there is very little doc about > >>> ippool and the way it works. > >>> > >>> I suppose that the NAS is completely relying on radius for IP delivery. > >>> I'm wondering what happen in case of the failure of the main radius > >>> server. > >>> > >>> Dom > >>> > >>> Dustin Doris a ïcrit : > >>> > >>> > >>> > >>>>> Hello all, > >>>>> > >>>>> I've spent quite a long time trying to understand how freeradius > >>>>> works > >>>>> and trying to get everything I want working. > >>>>> I am using Openldap since 2001 and I've no problems to understand > >>>>> LDAP > >>>>> as I wrote many programs around LDAP. In fact I don't understand how > >>>>> groups are working under radius. > >>>>> > >>>>> My aim: I would like to distribute different IP pool for users. > >>>>> > >>>>> The best for me: In the users DN, we already have an attribute for a > >>>>> laboratory, ie u2labo > >>>>> I would like to say: > >>>>> 1. authenticate the user in ldap (works ok) > >>>>> 2. Get the attribute u2labo > >>>>> 3 use that value to get the ip range (somewhere even outside ldap > >>>>> (users)) to distribute the IP. > >>>>> > >>>>> I've tried many configurations without success. The debugging of ldap > >>>>> show me just bind successfull without search for groups. I tried to > >>>>> add radiusprofile Objectclass without success. So what is the > >>>>> meaning > >>>>> of groups in radius?. > >>>>> can we say: > >>>>> user fred attributes XXX member of group test > >>>>> group test the rest of attributes. > >>>>> > >>>>> Could you give me the minimum to set in conf files to get it working? > >>>>> > >>>>> Thanks > >>>>> > >>>>> Dom > >>>>> > >>>>> > >>>>> > >>>>> > >>>> > > > > -- > Dominique LALOT > IngÃnieur SystÃme RÃseau CISCAM Pole RÃseau > Università de la MÃditerranÃe > http://annuaire.univ.fr/showuser.php?uid=lalot > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html