Greetings,
I am running FreeRADIUS 2.1.8 on Ubuntu 8.04, attempting to use the ldap
module. I only want to authenticate users in a certain group. These
groups exist in LDAP as a "posixGroup" with a "memberUID" list. As I
have it configured currently, I get an "Access-Accept" for any user in
the directory.
The ldap module is configured as such:
ldap {
server = "192.168.1.99"
identity = "cn=admin,dc=corp,dc=example,dc=com"
password = s3cret
basedn = "dc=corp,dc=example,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_attribute = NOC
groupmembership_filter =
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
}
I've also seen recomendations to add something like this to the users file:
DEFAULT LDAP-Group == NOC
Service-Type = Administrative-User
Now I can see the service-type displayed when I do a radtest using the
username/password of users in the "NOC" group, but I still see an
"Access-Accept" for users who are not in the group.
How can I make the server reject users that aren't in the NOC group? Any
hints would be fantastic.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
