I have freeradius and LDAP authenticating nicely. The problem I am
running into is that when I id a user, it only shows the primary group
that user is a member of. How can I get FreeRadius to report the other
groups that the user belongs to?
Mark Litchfield
Sorry I don't understand. Can you explain what you mean by "only shows
the primary group" and "report the other groups". Report to what?
Perhaps some radiusd -X output and an explanation of what you are trying
to do would help.
Using the following tree in LDAP:
dc: treeroot
|_ou: accounts
| |_ou: domain1
| | |_uid: joe
| | mail: [EMAIL PROTECTED]
| | uid: 10001
| | gid: 11000
| |_ou: domain2
| |_uid: joe
| mail: [EMAIL PROTECTED]
| uid: 10002
| gid: 11001
|_ou: groups
|_cn: group1
| uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot
| gid: 11000
|_cn: group2
| uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot
| gid: 11001
|_cn: group3
uniqueMember: uid=joe,ou=domain1,ou=accounts,dc=treeroot
uniqueMember: uid=joe,ou=domain2,ou=accounts,dc=treeroot
gid: 11002
When I "su" in as [EMAIL PROTECTED] and run "id" from the prompt I get:
joe(10001), group1(11000)
When I should get
joe(10001), group1(11000), group3(11002)
The overall desired effect:
1. System will support multiple domains.
2. Duplicate user names cannot exist within the same domain. (i.e. there can be only one username
"joe" per domain, but each domain can have a username "joe".)
3. Users can be members of several groups. Cross-domain group membership may be
supported. ([EMAIL PROTECTED] is a member of group1 and [EMAIL PROTECTED] is a
member of group2. Both of them are members of group3)
4. User / group authorization must be available to the filesystem / OS. I am
trying to replace the use of /etc/passwd and /etc/group for filesystem
permissions, login , etc.
Please anyone, tell me if I am insane for attempting this, if this is even possible or if there is an opensource alternative that will do all this and work with postfix and apache for user AAA. I would much rather get this to work in LDAP with FreeRadius.
On a side note, same topic... I have been looking for a way to do nested groups
in LDAP with FreeRadius. Is this possible and how?
BTW, I was unable to grab the radiusd -X output. The machine is not availble to
me for a few days. Taking a short break before I snap.
Thanks
Mark Litchfield
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html