-----Original Message----- From: [EMAIL PROTECTED] g [mailto:[EMAIL PROTECTED] adius.org] On Behalf Of Alexei Monastyrnyi Sent: Tuesday, 22 August 2006 07:12 To: FreeRadius users mailing list Subject: groupmembership_filter for LDAP module
Hi List. I am trying to enable group filter to allow only certain LDAP users to be able to login to my VPN hub. I run FreeRADIUS 1.0.2 on SPARC Solaris 9 All users are in group cn=vpnusers,ou=group,dc=mydomain,dc=com listed as "memberUid"s In radiusd.conf I have the following filter = "(&(objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))" groupmembership_filter = (&(&(cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Nam e:-%{User-Name}})) groupmembership_attribute = "vpnusers" It doesn't seem to work, no sign of searching for "vpnusers" in LDAP server logs and users that are not in this group are still able to log in. I may be missing something... Hints of where to look would be highly appreciated. Cheers, A. Reply: 1. You need to have an LDAP-Group check item in users: DEFAULT LDAP-Group == vpnusers Service-Type = Administrative-User 2. You need groupname_attribute. This is ANDed to the filter to provide (below). groupname_attribute = cn 3. Your filter is overcomplicated, all you need is this: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}} )) The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and 2. That's it. As long as the other stuff is right like the binddn, the base dn this should at least generate ldap activity in the radiusd -X output. Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html