On 27/09/10 11:44, Cameron Wood wrote:
groupname_attribute = cn
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))"
groupmembership_attribute = radiusGroupName
Attached is a debug log of my logon attempts with these settings, which
still fails unfortunately.
The filter is invalid. You're missing a trailing ")" which is easily
done in the stupid LDAP filter syntax.
If you can query LDAP directly, do so. Do not use rlm_unix for LDAP
queries, even if nssswitch is setup for it.
Noted, are you able to elaborate on why this is the case though, just
like to understand, only if its not too much trouble though.
Two main reasons: firstly, doing the LDAP lookups indirectly via
rlm_unix is difficult to debug (as we are finding).
Secondly, doing the LDAP lookups directly gives you a more rich
interface to the underlying LDAP data. Doing it via rlm_unix limits you
to schema elements present in the posix LDAP schema and get*ent calls.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
