Re: LDAP and FreeRadius Authentication - One user, multiple groups

Tue, 26 Jul 2005 16:41:36 -0700 

I have freeradius and LDAP authenticating nicely. The problem I am
running into is that when I id a user, it only shows the primary group
that user is a member of. How can I get FreeRadius to report the other
groups that the user belongs to?

Mark Litchfield




Sorry I don't understand.  Can you explain what you mean by "only shows
the primary group" and "report the other groups".  Report to what?



Perhaps some radiusd -X output and an explanation of what you are trying
to do would help.


Using the following tree in LDAP:

dc: treeroot
|_ou: accounts
|  |_ou: domain1
|  |  |_uid: joe
|  |     mail: [EMAIL PROTECTED]
|  |     uid: 10001
|  |     gid: 11000
|  |_ou: domain2
|     |_uid: joe
|        mail: [EMAIL PROTECTED]
|        uid: 10002
|        gid: 11001
|_ou: groups
   |_cn: group1
   |   uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot
   |   gid: 11000       
   |_cn: group2
   |   uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot
   |   gid: 11001
   |_cn: group3
       uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot
       uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot
       gid: 11002

When I "su" in as [EMAIL PROTECTED] and run "id" from the prompt I get:

joe(10001), group1(11000)

When I should get

joe(10001), group1(11000), group3(11002)

The overall desired effect:

1. System will support multiple domains.
2. Duplicate user names cannot exist within the same domain. (i.e. there can be only one username 
"joe" per domain, but each domain can have a username "joe".)
3. Users can be members of several groups. Cross-domain group membership may be 
supported. ([EMAIL PROTECTED] is a member of group1 and [EMAIL PROTECTED] is a 
member of group2. Both of them are members of group3)
4. User / group authorization must be available to the filesystem / OS. I am 
trying to replace the use of /etc/passwd and /etc/group for filesystem 
permissions, login , etc.
Please anyone, tell me if I am insane for attempting this, if this is even possible or if there is an opensource alternative that will do all this and work with postfix and apache for user AAA. I would much rather get this to work in LDAP with FreeRadius. 
On a side note, same topic... I have been looking for a way to do nested groups 
in LDAP with FreeRadius. Is this possible and how?

BTW, I was unable to grab the radiusd -X output. The machine is not availble to 
me for a few days. Taking a short break before I snap.

Thanks

Mark Litchfield
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to