RE: LDAP groups send reply
You need to store them in ldap with the +=. Now you probably have it like this: dn: ... securityrole: testgroup1 securityrole: testgroup2 securityrole: Users change it to this dn: ... securityrole: testgroup1 securityrole: += testgroup2 securityrole: += Users That should send back all of them. If its easier you could make them all += if you'd like and it should still work. -Dusty Doris On Fri, 18 Jun 2004, Rivera, Denis wrote: > Thank you for the reply. > Here is the output from radius. The problem im having is that only one group > name is returned. As show below I have value testgroup2 and users not being > returned. > > Ready to process requests. > rad_recv: Access-Request packet from host 10.32.2.108:1142, id=3, length=48 > User-Name = "testuser" > User-Password = "test123" > modcall: entering group authorize for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(uid=testuser)' > radius_xlat: 'o=PUSD,c=US' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 > rlm_ldap: bind as / to 127.0.0.1:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=testuser) > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding ntPassword as NT-Password, value > C5A237B7E9D8E708D8436B6148A25FA1 & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: Adding securityRole as Filter-Id, value testgroup1 & op=11 > rlm_ldap: Adding securityRole as Filter-Id, value testgroup2 & op=11 > rlm_ldap: Adding securityRole as Filter-Id, value Users & op=11 > rlm_ldap: user testuser authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "files" returns notfound for request 0 > modcall[authorize]: module "eap" returns noop for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group authenticate for request 0 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "testuser" with password "test123" > rlm_ldap: user DN: uid=testuser,ou=Information Technology,o=PUSD,c=US > rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 > rlm_ldap: bind as uid=testuser,ou=Information Technology,o=PUSD,c=US/test123 > to 127.0.0.1:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: user testuser authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 0 > modcall: group authenticate returns ok for request 0 > Login OK: [testuser/test123] (from client edcenter port 0) > Sending Access-Accept of id 3 to 10.32.2.108:1142 > Filter-Id = "testgroup1" > Finished request 0 > > > -Original Message- > > From: Dustin Doris [mailto:[EMAIL PROTECTED] > > Sent: Thursday, June 17, 2004 11:12 AM > > To: '[EMAIL PROTECTED]' > > Subject: Re: LDAP groups send reply > > > > > > > > > Hello, > > > > I would like to know if this is possible > > > > Send a Class or Filter-Id attribute to the NAS, with the content > > > > being the names of the LDAP groups to which the user belongs. > > > > > > > > Thank you, > > > > denis > > > > > > > > > > How does the NAS expect the group to come back? > > > > > > Class: > > > > > > Sorry, I guess I hit send too early. What I meant was what radius > > attribute the nas expecting for the groups? An example could be the > > radius attribute Class. > > > > In that case, you would make sure the following is in ldap.attrmap > > replyItem Class radiusClass > > > > Then in your ldap directory, you would store the reply items. > > > > radiusClass: "OU=group.com;" > > > > The one above is an example for Cisco VPN concentrators. > > > > Need to add more use +=, read the man page on users. > > > > > > > > -Dusty Doris > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP groups send reply
"Rivera, Denis" <[EMAIL PROTECTED]> wrote: > Here is the output from radius. The problem im having is that only one group > name is returned. As show below I have value testgroup2 and users not being > returned. Put them in quotes. "group1 group2" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP groups send reply
Thank you for the reply. Here is the output from radius. The problem im having is that only one group name is returned. As show below I have value testgroup2 and users not being returned. Ready to process requests. rad_recv: Access-Request packet from host 10.32.2.108:1142, id=3, length=48 User-Name = "testuser" User-Password = "test123" modcall: entering group authorize for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for testuser radius_xlat: '(uid=testuser)' radius_xlat: 'o=PUSD,c=US' ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 rlm_ldap: bind as / to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=testuser) rlm_ldap: looking for check items in directory... rlm_ldap: Adding ntPassword as NT-Password, value C5A237B7E9D8E708D8436B6148A25FA1 & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding securityRole as Filter-Id, value testgroup1 & op=11 rlm_ldap: Adding securityRole as Filter-Id, value testgroup2 & op=11 rlm_ldap: Adding securityRole as Filter-Id, value Users & op=11 rlm_ldap: user testuser authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall[authorize]: module "eap" returns noop for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type LDAP auth: type "LDAP" modcall: entering group authenticate for request 0 rlm_ldap: - authenticate rlm_ldap: login attempt by "testuser" with password "test123" rlm_ldap: user DN: uid=testuser,ou=Information Technology,o=PUSD,c=US rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 rlm_ldap: bind as uid=testuser,ou=Information Technology,o=PUSD,c=US/test123 to 127.0.0.1:389 rlm_ldap: waiting for bind result ... rlm_ldap: user testuser authenticated succesfully modcall[authenticate]: module "ldap" returns ok for request 0 modcall: group authenticate returns ok for request 0 Login OK: [testuser/test123] (from client edcenter port 0) Sending Access-Accept of id 3 to 10.32.2.108:1142 Filter-Id = "testgroup1" Finished request 0 > -----Original Message----- > From: Dustin Doris [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 17, 2004 11:12 AM > To: '[EMAIL PROTECTED]' > Subject: Re: LDAP groups send reply > > > > > > Hello, > > > I would like to know if this is possible > > > Send a Class or Filter-Id attribute to the NAS, with the content > > > being the names of the LDAP groups to which the user belongs. > > > > > > Thank you, > > > denis > > > > > > > How does the NAS expect the group to come back? > > > > Class: > > > Sorry, I guess I hit send too early. What I meant was what radius > attribute the nas expecting for the groups? An example could be the > radius attribute Class. > > In that case, you would make sure the following is in ldap.attrmap > replyItem Class radiusClass > > Then in your ldap directory, you would store the reply items. > > radiusClass: "OU=group.com;" > > The one above is an example for Cisco VPN concentrators. > > Need to add more use +=, read the man page on users. > > > > -Dusty Doris > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP groups send reply
That's probably a bad idea. It would take to long to authenticate if you have a lot of groups. You can send a reply item: users file ... DEFAULT (your check items here) Filter-Id = "profile=switch_profile_name", ... On Thu, 2004-06-17 at 11:16, Rivera, Denis wrote: > Hello, > I would like to know if this is possible > Send a Class or Filter-Id attribute to the NAS, with the content > being the names of the LDAP groups to which the user belongs. > > Thank you, > denis > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP groups send reply
> > > Hello, > > I would like to know if this is possible > > Send a Class or Filter-Id attribute to the NAS, with the content > > being the names of the LDAP groups to which the user belongs. > > > > Thank you, > > denis > > > > How does the NAS expect the group to come back? > > Class: Sorry, I guess I hit send too early. What I meant was what radius attribute the nas expecting for the groups? An example could be the radius attribute Class. In that case, you would make sure the following is in ldap.attrmap replyItem Class radiusClass Then in your ldap directory, you would store the reply items. radiusClass: "OU=group.com;" The one above is an example for Cisco VPN concentrators. Need to add more use +=, read the man page on users. -Dusty Doris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP groups send reply
> Hello, > I would like to know if this is possible > Send a Class or Filter-Id attribute to the NAS, with the content > being the names of the LDAP groups to which the user belongs. > > Thank you, > denis > How does the NAS expect the group to come back? Class: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
