On Thu, 12 Sep 2002 [EMAIL PROTECTED] wrote: > > hi, > > On Thu, 12 Sep 2002, Brian Leung wrote: > > > how about the user object, do i need to add anyting attribute to there > > > > if you have already added the user DN under the group DN, then there's no > need to add any attribute on the user object. it will be looked-up on the > group DN for the user's membership. > > another way of checking group membership via LDAP is utilizing the > groupmembership_attribute on radiusd.conf. you just need to add another > attribute which the ldap module checks if it exists on the user object. > > IMHO, this is more elegant if you have thousands of users belonging to > different groups.
Yes it is. You do get into problems though if you are in a delegated administration environment since you then allow whoever has access to the user entry to assign the user to whatever group he wants. > > so for this DN, > > > # ronaldo, testing > > dn: uid=ronaldo,o=testing > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: inetLocalMailRecipient > > objectClass: radiusprofile > > objectClass: posixAccount > > objectClass: PureFTPdUser > > cn: ronaldo > > sn: ronaldo > > mail: ronaldo@testing > > uid: ronaldo > > uidNumber: 1001 > > gidNumber: 1001 > > homeDirectory: /home/ronaldo > > userPassword:: > > FTPuid: 1001 > > FTPQuotaMBytes: 1 > > radiusProfileDn: cn=radiusprofile2,o=testing > > add this attribute: > > radiusGroupName: testgroup > > and create this: > > [Group DN] > > # mygroup, testing > dn: cn=testgroup,ou=testing > cn: testgroup > objectClass: posixGroup > gidNumber: 1101 > > and on radiusd.conf, set > > groupmembership_attribute = radiusGroupName > > > restart, radiusd and see the results. > > regards, > > ronald Well, actually if you don't put a group DN in the radiusGroupName attribute you don't need to create the group entry. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
