On Wed, 12 Jun 2002, Michael Fuller wrote: > Hi all, > > I have installed openldap and freeradius on a Red Hat v7.3 box. I want to > use ldap for radius authentication and authorisation. > > I want to control authorisation on a per group basis, and added the > radiusprofile object class to a group. The radiusServiceType was then set to > Administrative-User. However, members of this group are not able to telnet > to any of our cisco routers. The arrangement works fine if I follow the > same procedure on a per user basis. > > Is there any change that I have to make to radiusd.conf ? Where am I going > wrong ? > > Please help. > > Regards, > Michael Fuller
The profiles don't work on a group basis. What you can is to add a profile_attribute (the name can be configured through the profile_attribute configuration directive) in the ldap entries of all the users belonging in the administrator group. That attribute will point to the DN of an entry containing the radiusServiceType attribute. In other words: dn: uid=admin,ou=people,dc=your,dc=company,dc=com cn: Administrator radiusprofiledn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com [...] dn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com cn: Administrator Dialup Profile radiusServiceType: Administrative-User That should work just fine. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
