I have set up a VPN pointing to a FreeRadius server and have it authenticating successfully against my LDAP server, but I would also like to limit access to only those people who are a member of the VPN group.
Normally, this would be simple, but because of the LDAP server I am using, the hierarchy looks like this: User Account: ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(uid=firstname.lastname)" dn: uid=firstname.lastname,ou=people,dc=MY,dc=DOMAIN uidNumber: 1024 ... Group entry is: ldapsearch -h ldap -x -b "dc=MY,dc=DOMAIN" "(cn=VPN Users)" dn: cn=VPN Users,ou=groups,dc=MY,dc=DOMAIN memberUid: 1024 ... So I need to somehow configure Radius to search on me, get my uidNumber and then search on the group. If I skip the searching to get the uidNumber, I can configure the Radius (for this single account) correctly: In the ldap module I include: ... groupname_attribute = cn groupmembership_filter = "(memberUid=1024)" with the following entry in the users file: DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT LDAP-Group == "VPN Users" Service-Type = Administrative-User and this works as expected, but is there any way I can substitute the 1024 for an ldap search result so I can dynamically return the uidNumber for the %{User-Name} field? Thanks! Cheers, David
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html