ks, unfortunately.
> What I would like to do is write it like that:
>
> DEFAULT Ldap-Group == “cn=groupname, ou=OUofGroup, dc=toto, dc=tata”
No. The LDAP group is the name of the group. Nothing else.
> If anyone got some insight on how to solve this problem, I would greatly
> app
Hi,
I'm in an active directory domain with child domain, tata as my primary, and
toto as my child domain.
I'm doing authorization based on LDAP group.
My User connect to freeradius using 802.1x and PEAP.
Using mschap and ntlm this is working great.
Now I want to give users access
Hi
I read more and more about my problem. but i didn't find any useful answer.
I have freeradius-2.1.10 and i configured it with Active Directory. I
know about openldap and radius profile and good attributes is exist
under openldap for radius purpose.
Now i'm able to find ldap-
Hi
I read more and more about my problem. but i didn't find any useful answer.
I have freeradius-2.1.10 and i configured it with Active Directory. I
know about openldap and radius profile and good attributes is exist
under openldap for radius purpose.
Now i'm able to find ldap-
does anybody has another idea?
>
> Ldap-Group isn't a "real" attribute. It is a virtual attribute, that
> triggers a search in the directory when you compare to it.
>
> So you can't do this.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradiu
On 06/02/12 15:53, Cornelius Kölbel wrote:
... but it seems that the ldap_groupcmp does not support pattern matching?
Am I right or does anybody has another idea?
Ldap-Group isn't a "real" attribute. It is a virtual attribute, that
triggers a search in the directory when yo
Hello list,
I'd like to set the Filter-Id in the response based on an LDAP group.
authorize {
if ( Ldap-Group =~ /CN=group1,ou=groups,dc=company,dc=com/ ) {
update control {
Tmp-String-1 := "group1"
}
}
post-auth {
update reply {
On 24 Jan 2012, at 09:05, NdK wrote:
> Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto:
>
>>> But how do I set Tunnel-Private-Group-Id from an
>>> exec-ed script?
>> Just execute it using a backticks expansion, store the result in
>> Tmp-String-0 then use regular expression matches over the
On 01/24/2012 08:48 AM, Arran Cudbard-Bell wrote:
[snip]
IIRC the LDAP Module is actually smart enough to figure out whether you passed in a DN as
a group or just a groupname, so in theory if you have the filters and search depth set
correctly you can just use Ldap-Group == "mygroup"
Il 24/01/2012 08:48, Arran Cudbard-Bell ha scritto:
>> But how do I set Tunnel-Private-Group-Id from an
>> exec-ed script?
> Just execute it using a backticks expansion, store the result in Tmp-String-0
> then use regular expression matches over the result to figure out whether it
> contains a c
On 24 Jan 2012, at 08:23, NdK wrote:
> Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
>
>> But I reckon you could also do something like that in post-auth section
>> if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
>> update reply {
>>Tun
Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
> But I reckon you could also do something like that in post-auth section
> if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
> update reply {
> Tunnel-type = VLAN
> Tunnel-medium-type = IEEE-802
>
eeded
somewhere else?
Thank you very much,
James
Hi James,
I don't know anything about AD and I presume you are using the latest FR.
I'm currently testing an ldap-group check in authorize using unlang:
This is part of a switch statement:
case 'NAS-Prompt-User' {
my-ldap
#Che
Hi,
I've successfully set up a radius server to support 802.1x
authentication using peap mschapv2 and samba to authenticate users
against AD.
To do this I followed configuration on the freeradius.org website and
the AD integration howto on deployingradius.com, thank you very much
for writing these
that has handelt the communication for ldap group extends
fails. But failover took 15 minutes. Thats much too long for
us. (1-3 minutes at most will be acceptable, "zero outage"
gorgeous/expected)
It should not take 15 minutes.
What is your "net_timeout" set to?
net_time
cate:
>>>
>>> With this config an other ldap server is choosen, if the one that has
>>> handelt the communication for ldap group extends fails. But failover took
>>> 15 minutes. Thats much too long for us.
>>> (1-3 minutes at most will be acceptable,
> Just a gap of our users file, we have 18 default lines and additional 4 for a
> local/PAP user:
>
>
> DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group ==
> ""
> Login-Service = Telnet
>
FWIW, since it's the LDAP-Group attrib
> I will try to test this.
Thank you very much!
>What OS are you on, and what LDAP libraries & version of those libs are you
>using?
RHEL Server 5.6 (64 bit), Kernel 2.6.18-238.5.1.el5
# rpm -qa | grep -i ldap
php-ldap-5.1.6-27.el5_5.3
openldap-clients-2.3.43-12.el5_6.7
openldap-2.3.43-12.el5_
nd modify it to use ldapsearch.
> Sure.
>
> People are looking into better LDAP failover in "redundant {}" stanzas.
> LDAP-Group is a bit harder though.
>
A quick hack would be to use rlm_exec if you do not have have a high
RADIUS packet rate, the alternative would be rlm_
config) at 10 locations, 3 ldap
server at 3 different locations
For countervail lost of one or two locations, loadbalancing will be very
complex.
Sure.
People are looking into better LDAP failover in "redundant {}" stanzas.
LDAP-Group is a bit harder though.
-
List info/subscribe/
ap" module and FreeRADIUS do not work that way.
>"LDAP-Group" is a virtual attribute, that is registered by the first
>LDAP module to be created; it can't "fail over". It doesn't know about
>"redundant {}" or similar.
OK, thanks for detailed
On 06/28/2011 08:15 PM, Alexander Clouter wrote:
I keep meaning to do this for the sql module (well, postgresql) but it
can be done for libldap too. Open the socket directly in freeradius,
using SOCK_NONBLOCK -> connect() -> SO_RCVTIMEO/SO_SNDTIMEO and then
pass that all to ldap_init_fd().
Phil Mayers wrote:
>
> Unfortunately, when you supply >1 LDAP server, this is handled
> internally by libldap, and libldap tries the LDAP servers in series, not
> in parallel. So there will always be some outage.
>
> FreeRADIUS does not currently have connection pools, and they're a bit
> har
Sorry. The "ldap" module and FreeRADIUS do not work that way.
"LDAP-Group" is a virtual attribute, that is registered by the first
LDAP module to be created; it can't "fail over". It doesn't know about
"redundant {}" or similar.
Defining all thr
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
With this config an other ldap server is choosen, if the one that has handelt
the communication for ldap group extends fails. But failover took 15 minutes.
Thats much too long for us.
(1-3 min
Hi Phil,
Now is working as expected . You are a good man.
Thank You
From: Phil Mayers
To: freeradius-users@lists.freeradius.org
Sent: Sunday, 8 May 2011, 18:17
Subject: Re: ldap group filter
On 05/08/2011 04:19 PM, crzrobot wrote:
> Hi Phil,
> Thank Y
On 05/08/2011 04:19 PM, crzrobot wrote:
Hi Phil,
Thank You for the response. Your input helps a lot.
I did the modifications you suggested but the fetching of the variable
is done too late. When the checking of the group is done, the
%{control:Ldap-UID} comes empty, but is fetched later. If you
___
From: Phil Mayers [via FreeRadius]
To: crzrobot
Sent: Sunday, 8 May 2011, 12:29
Subject: Re: ldap group filter
On 05/08/2011 10:32 AM, crzrobot wrote:
> Sry for the double posting.
> Hi,
> Recently I implemented an radius authentication using the ldap modul
On 05/08/2011 10:32 AM, crzrobot wrote:
Sry for the double posting.
Hi,
Recently I implemented an radius authentication using the ldap module.
Next step is do control the users by groups and I want to ask how could i
setup the group filter if i have this kind of configuration for the groups
on th
: /bin/bash
homeDirectory: /home/test01
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4379700.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
message in context:
http://freeradius.1045715.n5.nabble.com/ldap-group-filter-tp4379112p4379112.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dSCorePropagationData: 16010108151513.0Z
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4296140.html
Sent from the FreeRadius - User mailing list
r: member=cn=roberttest1
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4296096.html
Sent from the FreeRadius - User mailing list archive at Nabble
joezamosc wrote:
>
> Alexander - you have a point - WANN is under OU - I've made an adjustment in
> modules/ldap and changed groupname_attribute to ou "groupname_attribute =
> ou"
>
'groupname_attribute' should be 'cn', unless your LDAP directory is very
broken ;)
> And after running ldapsearch
.com/CN=Configuration,DC=corp,DC=development,DC=com
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/LDAP-group-filter-search-is-failing-tp4289457p4291313.html
Sent from the Free
joezamosc wrote:
>
>
> The 10th line from the bottom of the snippet returns with the following...
>
> rlm_ldap::ldap_groupcmp: ldap_get_values() failed
>
> I'm waiting for a subsequent "[ldap] performing search in" my DN and to
> match with filter (cn=WANN)
> But it's not happening.
>
It is h
On 04/07/2011 10:06 PM, joezamosc wrote:
2.1.10
Here's a snippet of freeradius -X...
+- entering group post-auth {...}
[ldap] Entering ldap_groupcmp()
[files] expand: ou=Departments,dc=corp,dc=development,dc=com ->
ou=Departments,dc=corp,dc=development,dc=com
[files] expand:
a7699d7832fe38f78c5458b0318eaa27db6
MS-MPPE-Send-Key =
0x866779d60ae2e9da0a928ebfb1f20e2f5e26dc05d050075dc8e65210e2946936
EAP-Message = 0x030a0004
Message-Authenticator = 0x
Finished request 8.
This is in my postauth_users file...
DEFAULT Huntgroup-Name == Switches, Ldap-Group ==
y.conf" file (in
default freeradius installs):
policy {
my-policy {
...any unlang ...
}
}
...then in raddb/sites-/*/*:
authorize {
my-policy
}
You will probably find that Ldap-Group works with the unlang policy
stuff, because it works with plain unlang.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
i've been using the Ldap-Group attribute within my users file (i want
to get rid of rlm_files) to check whether the user -- which is to be authorized
-- is a member of a particular ldap group. i also need to do this check within
my intended 'policy setup' but it turned out that
On 02/12/10 14:49, Phil Mayers wrote:
Alternatively, how about:
policy {
myldap {
update request {
Module-Failure-Message !* 0x00
My-Group = "%{ldap1:...}"
}
if (Module-Failure-Message) {
Nah, this won't work sorry - I was misreading the rlm_ldap.c code,
On 02/12/10 13:14, Alexander Clouter wrote:
Phil Mayers wrote:
It would be really nice to fold those duplicate LDAP-Group lines into
'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
/etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAUL
Phil Mayers wrote:
>
>> It would be really nice to fold those duplicate LDAP-Group lines into
>> 'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
>>
>> /etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT:
>
Josip Rodin wrote:
>
>> DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
>> ldap_login1-LDAP-Group == it-switch-admin
>> DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
>> ldap_login2-LDAP-Group == it-swit
On 02/12/10 11:54, Alexander Clouter wrote:
It would be really nice to fold those duplicate LDAP-Group lines into
'ldap_login-LDAP-Group', however alas FreeRADIUS does not love me:
/etc/freeradius/LOCAL/users-login[1]: Parse error (check) for entry DEFAULT: Invalid octet string
On Thu, Dec 02, 2010 at 11:54:28AM +, Alexander Clouter wrote:
> DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
> ldap_login1-LDAP-Group == it-switch-admin
> DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
> ldap_login2-LDAP-Group == it-
Hi,
I know this has been covered in the archives, and the news is generally
not good, but my users file currently looks like:
DEFAULT NAS-Identifier == switch, Huntgroup-Name == allied-telesis,
ldap_login1-LDAP-Group == it-switch-admin
Service-Type = Administrative-User
DEFAULT NAS
Yes sir! thank you
Found the solution in the doc
On Fri, Oct 22, 2010 at 12:57 PM, Alan DeKok wrote:
> mic nightic wrote:
> > By looking in my openldap logs, freeradius is not even trying to search
> > for the group.
> >
> > Do i have to activate something else to enable group checking?
>
> doc/
mic nightic wrote:
> By looking in my openldap logs, freeradius is not even trying to search
> for the group.
>
> Do i have to activate something else to enable group checking?
doc/rlm_ldap
Look for "group support"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius
Hi,
I'm trying to activate the LDAP group membership checking in FreeRadius.
In my radiusd.conf i've modified the group checking section:
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUn
I never saw a reply to my below e-mail. Would anybody have any thoughts
or ideas on why our ldap group lookups fail after some period of
time...? If it would help to send debug output, I can... Just for my
information, are many folks out there using ldap/AD group lookups on
large FR
Group,
We are having problems with ldap group lookups... Here's our
environment. Using Freeradius 2.1.8 to authenticate wireless users
against our AD servers and perform ldap group membership lookups. Using
WPA2-AES-PEAP-MSCHAPv2. When radiusd is started, initially the lookups
work
Douglas Caro wrote:
> I'm trying to modify a working configuration to add one more
> authentication service in FreeRadius.
What's an "authentication service" ?
> I already have one configuration to authenticate users in ldap to use
> wireless network. See the radiusd.conf:
Please don't post
Hello!
I'm trying to modify a working configuration to add one more
authentication service in FreeRadius.
I already have one configuration to authenticate users in ldap to use
wireless network. See the radiusd.conf:
radiusd.conf
prefix = /usr
exec_p
Jason Fenner wrote:
> However, when I test PEAP using eapol_test authentication also works
> fine, but the ldap group checking occurs only on the outer-tunnel
> username. In this case, the outer tunnel is created using the username
> "anonymous". This user doesn't e
, when I test PEAP using eapol_test authentication also works
fine, but the ldap group checking occurs only on the outer-tunnel
username. In this case, the outer tunnel is created using the username
"anonymous". This user doesn't exist in AD, so a failure is the response.
In inner-tun
Thanks, Alan.
It seems to work with the following :
in sites-enabled/default :
post-auth {
if ( EAP-Type == "Cisco-LEAP" ) {
if (!(Ldap-Group == wireless)) {
fail
}
}
.
in sites-anabled/inner-tunnel :
Fred MAISON wrote:
> I surely misunderstand something : in my test :
> User is found on ldap in group wireless, but (Ldap-Group != "wireless")
> evaluates to TRUE ...
Err that's fairly broken right now. Try:
if (!(LDAP-Group == "wireless")) {
I surely misunderstand something : in my test :
User is found on ldap in group wireless, but (Ldap-Group != "wireless")
evaluates to TRUE ...
NOTE : user has multiple radiusgroupname
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/msc
f ( "%{control:Ldap-Group}" == "wireless" ) {
This isn't like the "users" file.
if (LDAP-Group == "wireless") {
...
}
The extra "${control:...}" text isn't necessary.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Jun 01, 2010 at 12:41:38PM +0200, Fred MAISON wrote:
> I have not been able to place somthing like this in the post-auth
> section of inner-tunnel ...
> if ( "%{control:Ldap-Group}" == "wireless" ) {
> noop
> } else {
>
reject
}
I trie to replace this in users :
# for proxy.conf to work :
DEFAULT Realm == "myreal.com"
reply-Message += "real is %{Realm}"
DEFAULT Auth-Type == EAP, EAP-Type == Cisco-LEAP, Ldap-Group == wireless
reply-Message = "C
im in the group?
DEFAULT Ldap-Group == "VPN USERS", Auth-Type := Accept
DEFAULT Auth-Type := Reject
Fall-Through = no
In debug I can see,
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "vtest" with password "test1234"
[ldap] u
virtual server) to support my scenario,
> and it is like below:
>
> From IP x.x.x.1 -> Only Allow LDAP Group A to access
> >From IP x.x.x.2 -> Only Allow LDAP Group B to access
>
> from the doc/ldap_howto.txt, it seems not working
>
> I've found in mailing
Hello all
I want to run only one radiusd (no virtual server) to support my scenario,
and it is like below:
>From IP x.x.x.1 -> Only Allow LDAP Group A to access
>From IP x.x.x.2 -> Only Allow LDAP Group B to access
from the doc/ldap_howto.txt, it seems not working
I've
Fred wrote:
> Thanks a lot, Alan,
> Do you have any readmap infos available or any idea of 2.2
> availability (some month, this year ) ?
Within 3-4 months.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks a lot, Alan,
Do you have any readmap infos available or any idea of 2.2
availability (some month, this year ) ?
Best regards,
Fred
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fred wrote:
> ldap redundancy & Ldap-Group checkItem in user file
...
> I don't see how to make freeradius register to somethink like ldapRedundant.
> Is there any way to do that ?
Alexander Coulter has some patches. These should go into 2.2.0.
Alan DeKok.
-
List info/sub
ldap redundancy & Ldap-Group checkItem in user file
Hi all,
I try to migrate a freeradius 1 (where ldap failover was not working)
to freeradius 2 and I have some difficulties to configure LDAP
failover :
As Ldap-Group is registered with individual ldap instances name, (ei
ldap1-Ldap-Group &am
Stephon Chen wrote:
>We want to do a sceranio like below:
>(Pre-requisties: a radius server RD, a ldap backend LD, and 2 unix
> clients CA and CB with different IPs)
>CA sends user auth requests to RD, RD would only send if the user is
> in ldap group A
>CB sends
Hello all,
We want to do a sceranio like below:
(Pre-requisties: a radius server RD, a ldap backend LD, and 2 unix
clients CA and CB with different IPs)
CA sends user auth requests to RD, RD would only send if the user is in
ldap group A
CB sends user auth requests to RD, RD would
> In my "users" file I preform an Ldap-Group lookup and allocate vlan
> based on this. i.e. DEFAULT Ldap-Group !=
> "cn=DisabledRadiusUsers,ou=roles,ou=services,o=abc"
>
> The issue I am having is if a user has an Outer Identity set, the
> Ldap-Group lookup
In my "users" file I preform an Ldap-Group lookup and allocate vlan
based on this. i.e. DEFAULT Ldap-Group !=
"cn=DisabledRadiusUsers,ou=roles,ou=services,o=abc"
The issue I am having is if a user has an Outer Identity set, the
Ldap-Group lookup is performed against this us
inner-tunnel file:
if(Ldap-Group == "xxx" && Tmp-Inreger-0 > 0) {
update reply {
#set VLAN attributes for that case
Tunnel-Type = VLAN
Tunnel-M
[files] expand: %{User-Name} -> john
[files] sql_set_user escaped user --> 'john'
rlm_sql (sql): Reserving sql socket id: 1
[files] expand: SELECT groupname FROM
radusergroup WHERE username = '%{SQL-User-Name}' ORDER
BY priority -> SELECT groupname
;
>#These are the groups we are checking for Lunar Building staff
>DEFAULT Ldap-Group == "lunar-staff"
>Aruba-User-Role = "employee"
>
>DEFAULT Ldap-Group == "lunar-member"
>Aruba-User-Role = "memb
checking for Lunar Building staff
DEFAULT Ldap-Group == "lunar-staff"
Aruba-User-Role = "employee"
DEFAULT Ldap-Group == "lunar-member"
Aruba-User-Role = "member"
DEFAULT Ldap-group != "lunar-staff&quo
t;Interesting,
> >I have a similar situation except that I want to authorize users from
> >one SSID with ActiveDirectory, and from the other SSID with a local
> >mysql.
> >
> >How would I do that?
> >
>
> Freeradius doesn't care where is data com
>Interesting,
>I have a similar situation except that I want to authorize users from
>one SSID with ActiveDirectory, and from the other SSID with a local
>mysql.
>
>How would I do that?
>
Freeradius doesn't care where is data coming from. You have to use
groups. AD g
> >I need to have different WLANs for different Users who are in LDAP
> >groups.
> >The user of group A should be able to use WLAN A but not WLAN B and so
> >on.
> >
> >How on earth do I configure this?
>
> Where is SSID in the request? Called-Station-Id?
>Even though I understand what you are saying, I have no idea where to
>start looking for the SSID.
>
Access-Request packet. Do radiusd -X debug and request attributes will be
displayed.
>As far as I can tell, the SSID is not in the request and neither in
>the NAS-Identifier.
>
If it's not in th
uld be able to use WLAN A but not WLAN B and
so
on.
How on earth do I configure this?
Where is SSID in the request? Called-Station-Id? NAS-Identifier?
DEFAULT Ldap-Group == whatever, regex check on the attribute which
holds SSID
DEFAULT Ldap-Group == another, same for second SSID
>I need to have different WLANs for different Users who are in LDAP
>groups.
>The user of group A should be able to use WLAN A but not WLAN B and so
>on.
>
>How on earth do I configure this?
Where is SSID in the request? Called-Station-Id? NAS-Identifier?
DEFAULT Ldap-Group
e not found a way to limit access of a certain SSID to a certain
LDAP group.
I need to have different WLANs for different Users who are in LDAP
groups.
The user of group A should be able to use WLAN A but not WLAN B and so
on.
How on earth do I configure this?
Does anybody have any experience
Im having a hard time figuring out how to do group checking with
freeradius. I am trying to authenticate against open directory, but I
have no idea where to give the group name to check for. (modifying the
schema isint really an option)
-
List info/subscribe/unsubscribe? See http://www.freeradius.o
Hi,
Elizabeth Steinke <[EMAIL PROTECTED]> wrote:
>
> Since we have other applications that don't and probably never will preform
> redundant
> LDAP lookups I'm thinking I will just an LDAP VIP to the LVS server. I am
> still willing
> to try an solutions in my lab for the sake of having it in
IP address ldap1 is using to do
>>> lookups I
>>> >get an access-reject packet back.
>>> >
>>> >Here is the snippet of the log (I am posting it for brevity, I will be
>>> more
>>> >than happy to post all of radiusd -X)
>>> &
ing it for brevity, I will be
>> more
>> >than happy to post all of radiusd -X)
>> >
>> >---log bits for when it rejects the attempt--
>> >
>> >lm_ldap: ...some ldap server in ldap fairy land... failed: Can't contact
>> >LDAP ser
erver
> >rlm_ldap: (re)connection attempt failed
> >rlm_ldap::ldap_groupcmp: search failed
> >rlm_ldap: ldap_release_conn: Release Id: 0
> >users: Matched entry DEFAULT at line 69
> >
> >here is rule 68-69:
> >
> >DEFAULT Huntgroup-Name =="some hun
onn: Release Id: 0
>users: Matched entry DEFAULT at line 69
>
>here is rule 68-69:
>
>DEFAULT Huntgroup-Name =="some huntgroup", Auth-Type = ntlm_auth_cleartext
>Fall-Through = 1
>DEFAULT Huntgroup-Name == "some huntgroup",Ldap-Group != "somelda
oup", Auth-Type = ntlm_auth_cleartext
Fall-Through = 1
DEFAULT Huntgroup-Name == "some huntgroup",Ldap-Group != "someldapgroup",
Auth-Type := Reject
I can then see rlm_ldap doing the lookup successfully on ldap1
lm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_c
Behalf Of [EMAIL PROTECTED]
Sent: Thursday, October 09, 2008 12:39 PM
To: FreeRadius users mailing list
Subject: Re: Ldap group
> groupmembership_filter =
>"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objec
>t Class=GroupOfUniqueNames)(uniq
> groupmembership_filter =
>"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(object
>Class=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
It should aso be control:Ldap-UserDn for uniquemember. Hope that helps.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/u
Hello
I have ldap working to authencate users to a cisci switch. I now want to
limit it to group membership. Any help would be great.
Here is what I have in my ldap config for the groups.
# Group membership checking. Disabled by default.
#
groupname_attribute = "cn"
te to our
> configured devices this morning I see the following generic error in the
> debug:
>
> rlm_ldap: search failed
> rlm_ldap: ldap_release_conn: Release Id: 0
> ++[ldap] returns fails
>
> The odd part about it is that I still have our previous 2000 domain
> contr
= 0x2f644ea60d80525ed0b13527ca916aae
>MS-MPPE-Encryption-Policy = 0x0001
>MS-MPPE-Encryption-Types = 0x0006
>Finished request 2.
>Going to the next request
>Waking up in 4.9 seconds.
>Cleaning up request 2 ID 83 with timestamp +888
>Ready to process requests.
e domain name appended to
(sAMAccountName=voila\5cwebtest)
My users File entries:
(The first entry I would like to be used by the concentrator to search the
group and if the user is a member allow them access - of course
authenticating the provided password)
DEFAULT LDAP-Group == "vp
Alan DeKok <[EMAIL PROTECTED]> 8/18/08 12:02 PM >>>
>Jason Long wrote:
>> expand: (&(objectClass=groupOfNames)(member=%{Ldap-UserDn})) ->
>> (&(objectClass=groupOfNames)(member=))
>>
>> The search filter should contain something like
>> (member=cn=georget,ou=student,o=mc), but instead
Jason Long wrote:
> expand: (&(objectClass=groupOfNames)(member=%{Ldap-UserDn})) ->
> (&(objectClass=groupOfNames)(member=))
>
> The search filter should contain something like
> (member=cn=georget,ou=student,o=mc), but instead it has (member=).
>
> Is %{Ldap-UserDn} not correct? I got it
This morning I'm attempting to upgrade my FreeRadius install from 1.1.7 to
2.0.5.
I'm having an issue with LDAP group-checking.
Here's my scenario:
I authenticate users with LDAP (eDirectory). In addition, I do some LDAP
group-checking to determine which RADIUS attributes I wa
1 - 100 of 216 matches
Mail list logo
