hi,
On Thu, 12 Sep 2002, Brian Leung wrote:
> how about the user object, do i need to add anyting attribute to there
>
if you have already added the user DN under the group DN, then there's no
need to add any attribute on the user object. it will be looked-up on the
group DN for the user's membership.
another way of checking group membership via LDAP is utilizing the
groupmembership_attribute on radiusd.conf. you just need to add another
attribute which the ldap module checks if it exists on the user object.
IMHO, this is more elegant if you have thousands of users belonging to
different groups.
so for this DN,
> # ronaldo, testing
> dn: uid=ronaldo,o=testing
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: inetLocalMailRecipient
> objectClass: radiusprofile
> objectClass: posixAccount
> objectClass: PureFTPdUser
> cn: ronaldo
> sn: ronaldo
> mail: ronaldo@testing
> uid: ronaldo
> uidNumber: 1001
> gidNumber: 1001
> homeDirectory: /home/ronaldo
> userPassword::
> FTPuid: 1001
> FTPQuotaMBytes: 1
> radiusProfileDn: cn=radiusprofile2,o=testing
add this attribute:
radiusGroupName: testgroup
and create this:
[Group DN]
# mygroup, testing
dn: cn=testgroup,ou=testing
cn: testgroup
objectClass: posixGroup
gidNumber: 1101
and on radiusd.conf, set
groupmembership_attribute = radiusGroupName
restart, radiusd and see the results.
regards,
ronald
--
[Never be afraid to try something new.
Remember, amateurs built the ark,
and professionals built the Titanic.]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
