Hello,
my aim is that only one group of the active directory gets access the others are rejected. I have read in this thread: http://freeradius.1045715.n5.nabble.com/Conditional-attributes-with-AD-td5541373.html that you can use the ldap module to check group membership and check the output of the checking. I use this filter in the groupmembership checking: groupname_attribute = cn groupmembership_filter = "(objectClass=group)(member=%{<where the group in the ad is>}))" groupmembership_attribute = memberOf I get this output of the debug of freeRADIUS: [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=domain,dc=de, with filter (sAMAccountName=heinrich) [ldap] rebind to URL ldap://domain.de/CN=Configuration,DC=domain,DC=de [ldap] ldap_release_conn: Release Id: 0 expand: (&(objectClass=group)(member=%{control:cn=group,cn=users,dc=domain,dc=de})) -> (&(objectClass=group)(member=)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=group,cn=users,dc=aos-stade,dc=de, with filter (&(objectClass=group)(member=)) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=Heinrich\, Sebastian,CN=Users,DC=aos-stade,DC=de, with filter (objectclass=*) [ldap] performing search in CN=group1,CN=Users,DC=aos-stade,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de) [ldap] object not found [ldap] performing search in CN=group2,CN=group4,CN=Users,DC=domain,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de) [ldap] object not found [ldap] performing search in CN=group3,CN=Users,DC=domain,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de) [ldap] object not found [ldap] performing search in CN=group,CN=Users,DC=domain,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de) [ldap] object not found [ldap] performing search in CN=group,CN=group4,CN=Users,DC=aos-stade,DC=de, with filter (cn=cn=group,cn=users,dc=domain,dc=de) [ldap] object not found rlm_ldap::groupcmp: Group cn=group,cn=users,dc=aos-stade,dc=de not found or user not a member [ldap] ldap_release_conn: Release Id: 0 I have written this in my inner-tunnel: If(!(Ldap-group == 'cn=group,cn=users,dc=domain,dc=de)) { update config { Auth-Type := Reject } } Can anybody help me? As I understand the debug the group is checked but the user isn't member of it. I totally sure that I am a member of the group. Best Regards Sebastian Heinrich Techn. DV Aluminium Oxid Stade GmbH Johann-Rathje-Köser-Straße 21683 Stade email s.heinr...@aos-stade.de web http://www.aos-stade.de <http://www.aos-stade.de/>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html