This is how I have done it: http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html
Works a treat for me. On Wed, Aug 4, 2010 at 11:27 AM, Cory Johnson <cjohn...@commspeed.net>wrote: > Greetings, > > I am running FreeRADIUS 2.1.8 on Ubuntu 8.04, attempting to use the ldap > module. I only want to authenticate users in a certain group. These groups > exist in LDAP as a "posixGroup" with a "memberUID" list. As I have it > configured currently, I get an "Access-Accept" for any user in the > directory. > > The ldap module is configured as such: > > ldap { > server = "192.168.1.99" > identity = "cn=admin,dc=corp,dc=example,dc=com" > password = s3cret > basedn = "dc=corp,dc=example,dc=com" > filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" > > ldap_connections_number = 5 > > timeout = 4 > > timelimit = 3 > > net_timeout = 1 > > tls { > start_tls = no > } > > dictionary_mapping = ${confdir}/ldap.attrmap > > edir_account_policy_check = no > > groupname_attribute = cn > groupmembership_attribute = NOC > groupmembership_filter = > (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) > > } > > I've also seen recomendations to add something like this to the users file: > DEFAULT LDAP-Group == NOC > Service-Type = Administrative-User > > Now I can see the service-type displayed when I do a radtest using the > username/password of users in the "NOC" group, but I still see an > "Access-Accept" for users who are not in the group. > > How can I make the server reject users that aren't in the NOC group? Any > hints would be fantastic. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html