Nevermind, I found how to get this to work. I was assuming that anything in the Check-Item were all AND'd together when they are on one line. I got it to work this way:
DEFAULT Ldap-Group != "CN=xxxxx,OU=yyyyy,DC=zzzzz", Auth-Type := Reject DEFAULT Auth-Type := LDAP -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Zawacki Jason D Contr AFRL/IFOS Sent: Wednesday, April 27, 2005 10:23 AM To: 'freeradius-users@lists.freeradius.org' Subject: LDAP password lookup and LDAP group membership Hello all. Another problem I'm having - I want to be able to check that a user is in a group in LDAP. I've been using the users file to do this, and here's what I've tried: DEFAULT Ldap-Group == "CN=xxxxx,OU=yyyyy,DC=zzzzz", Auth-Type := LDAP, Fall-Through = No This setup accepts me whether or not I'm in the group. If I do this: DEFAULT Ldap-Group == "CN=xxxxx,OU=yyyyy,DC=zzzzz", Auth-Type := LDAP, Fall-Through = No DEFAULT Auth-Type := Reject I'll always be rejected. LDAP refers to an Auth-Type I've set up. I didn't think it was relevant so I didn't include it here. Thanks in advance, Jason - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html