Background:
When a user associated with the ssid Guest, the user will authenticate against a FreeRadius server. If he has a university account, the FreeRadius server will authenticate him via LDAP. If he does not have a university account, the FreeRadius server will do the authentication with a guest account database. Goal: To reduce the chance to do the LDAP search, the LDAP-group search is successful if the user is in the LDAP and no matter which LDAP group he is in. My shot and the problem: I am trying to do a wildcard search in LDAP-Group search, but it looks like the wildcard could not work. Related entries in the file users, <omitted> DEFAULT Called-Station-Id =~ ".*Guest", myldap-Ldap-Group == "*", Autz-Type := Ldap1, Auth-Type := Ldap1 DEFAULT Called-Station-Id =~ ".*Guest", Group == "guest", Autz-Type := Web, Auth-Type := System <omitted> Debug output, <output omitted> rlm_ldap: performing search in ou=people,dc=myuniv,dc=ca, with filter (&(cn=*)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUnique Names)(uniquemember=)))) <output omitted> rlm_ldap::groupcmp: Group * not found or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [cxu] (from client localhost port 0) Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Questions: 1. Is there any way to make the wildcard LDAP-group search work? 2. Whether unlang could be applied here and how? 3. Any advice? Thanks! Andrew
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html