ldapsearch -x cn=my_group # # filter: cn=my_group # requesting: ALL # # my_group, group, lanl, gov dn: cn=my_group,ou=group,dc=lanl,dc=gov objectClass: groupOfNames cn: my_group member: employeeNumber=0067,ou=people,dc=lanl,dc=gov member: employeeNumber=0068,ou=people,dc=lanl,dc=gov ... ---------------------------------- radiusd.conf (file) ...modules ldap My-group_Users { server = "ldap" net_timeout = 1 timeout = 3 timelimit = 4 ldap_connections_number = 5 basedn = "dc=lanl,dc=gov" #access_attr = "employeeNumber" filter = "(&(cn=my-group)(member=employeeNumber=%{Stripped-User-Name:-%{User-Name}},ou=people,dc=lanl,dc=gov))" start_tls = no groupname_attribute = cn groupmembership_filter = "" groupmembership_attribute = my_group dictionary_mapping = ${raddbdir}/ldap.attrmap compare_check_items = yes access_attr_used_for_allow = yes } ... authorize Autz-Type MY-GROUP { redundant { My-group_Users notfound = reject } } ---------------------------------- users (file) ... DEFAULT NAS-IP-Address =~ "^123.123", Autz-Type := MY-GROUP
There's probably a better way, but this worked for what I wanted. On Thu, 2005-09-29 at 03:10, Jean-Francois Gobin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello there, > > I have a small problem. And I read the documentation. And I can't find > what's wrong. > > I have a corporate LDAP with users and group. > > Each group is a "groupOfUniqueNames", with "uniquemember". > In the user defintion, no group definition is set. > > I need to authenticate members of a certain groups, and not of another ... > > Every doc I read mention that you have to create an attribute "per user" > ... > > Any other way ? > > Regards, > Jean-Francois Gobin > > - ---------- > Jean-Francois Gobin - Administrateur gobinjf.be > http://www.gobinjf.be mailto:[EMAIL PROTECTED] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (FreeBSD) > Comment: Made with pgp4pine 1.76 > > iD8DBQFDO6+pkkg3QInH2uURAkoTAJ9CiiYoljx0B2zP/tInkSG4TwiwIgCbBWft > g16kNx6wUzO1va189DJmHRA= > =kTQn > -----END PGP SIGNATURE----- > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html