Thanks for your advice!
Something is still missing
Here is what I have in LDAP section of radiusd.conf
basedn = dc=mydomain,dc=com
filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{U
ser-Name}}))
groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stri
pped-User-Name:-%{User-Name}}))
groupname_attribute = cn
And in users
DEFAULT Auth-Type = LDAP
DEFAULT LDAP-Group == vpnusers
Service-Type = Administrative-Use
radiusd -X says when reading LDAP section
...
ldap: basedn = dc=mydomain,dc=com
ldap: filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
ldap: base_filter = (objectclass=radiusprofile)
ldap: default_profile = (null)
ldap: profile_attribute = (null)
ldap: password_header = (null)
ldap: password_attribute = (null)
ldap: access_attr = (null)
ldap: groupname_attribute = cn
ldap: groupmembership_filter =
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
ldap: groupmembership_attribute = (null)
ldap: dictionary_mapping = /usr/local/etc/raddb/ldap.attrmap
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = yes
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
...
But it says nothing about any search for vpnusers group during login,
which is still successful for users outside the group
A.
on 8/22/2006 9:47 AM Ranner, Frank MR wrote:
-Original Message-
From:
[EMAIL PROTECTED]
g
[mailto:[EMAIL PROTECTED]
adius.org] On Behalf Of Alexei Monastyrnyi
Sent: Tuesday, 22 August 2006 07:12
To: FreeRadius users mailing list
Subject: groupmembership_filter for LDAP module
Hi List.
I am trying to enable group filter to allow only certain LDAP users to
be able to login to my VPN hub.
I run FreeRADIUS 1.0.2 on SPARC Solaris 9
All users are in group
cn=vpnusers,ou=group,dc=mydomain,dc=com
listed as memberUids
In radiusd.conf I have the following
filter =
((objectClass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}}))
groupmembership_filter =
(((cn=vpnusers)(objectClass=posixGroup))(memberUid=%{Stripped-User-Nam
e:-%{User-Name}}))
groupmembership_attribute = vpnusers
It doesn't seem to work, no sign of searching for vpnusers in LDAP
server logs and users that are not in this group are still able to log
in.
I may be missing something... Hints of where to look would be highly
appreciated.
Cheers,
A.
Reply:
1. You need to have an LDAP-Group check item in users:
DEFAULT LDAP-Group == vpnusers
Service-Type = Administrative-User
2. You need groupname_attribute. This is ANDed to the filter to provide
(below).
groupname_attribute = cn
3. Your filter is overcomplicated, all you need is this:
((objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}
))
The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and
2.
That's it. As long as the other stuff is right like the binddn, the base
dn this
should at least generate ldap activity in the radiusd -X output.
Regards,
Frank Ranner
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
