Re: ldap-group

Thu, 12 Sep 2002 07:20:37 -0700 

Thank you so much


Kostas Kalevras wrote:

>On Thu, 12 Sep 2002 [EMAIL PROTECTED] wrote:
>
>>hi,
>>
>>On Thu, 12 Sep 2002, Brian Leung wrote:
>>
>>>how about the user object, do i need to add anyting attribute to there
>>>
>>if you have already added the user DN under the group DN, then there's no
>>need to add any attribute on the user object. it will be looked-up on the
>>group DN for the user's membership.
>>
>>another way of checking group membership via LDAP is utilizing the
>>groupmembership_attribute on radiusd.conf. you just need to add another
>>attribute which the ldap module checks if it exists on the user object.
>>
>>IMHO, this is more elegant if you have thousands of users belonging to
>>different groups.
>>
>
>Yes it is. You do get into problems though if you are in a delegated
>administration environment since you then allow whoever has access to the user
>entry to assign the user to whatever group he wants.
>
>>so for this DN,
>>
>>># ronaldo, testing
>>>dn: uid=ronaldo,o=testing
>>>objectClass: top
>>>objectClass: person
>>>objectClass: organizationalPerson
>>>objectClass: inetOrgPerson
>>>objectClass: inetLocalMailRecipient
>>>objectClass: radiusprofile
>>>objectClass: posixAccount
>>>objectClass: PureFTPdUser
>>>cn: ronaldo
>>>sn: ronaldo
>>>mail: ronaldo@testing
>>>uid: ronaldo
>>>uidNumber: 1001
>>>gidNumber: 1001
>>>homeDirectory: /home/ronaldo
>>>userPassword::
>>>FTPuid: 1001
>>>FTPQuotaMBytes: 1
>>>radiusProfileDn: cn=radiusprofile2,o=testing
>>>
>>add this attribute:
>>
>> radiusGroupName: testgroup
>>
>>and create this:
>>
>>[Group DN]
>>
>> # mygroup, testing
>> dn: cn=testgroup,ou=testing
>> cn: testgroup
>> objectClass: posixGroup
>> gidNumber: 1101
>>
>>and on radiusd.conf, set
>>
>> groupmembership_attribute = radiusGroupName
>>
>>
>>restart, radiusd and see the results.
>>
>>regards,
>>
>>ronald
>>
>
>Well, actually if you don't put a group DN in the radiusGroupName attribute you
>don't need to create the group entry.
>
>--
>Kostas Kalevras                Network Operations Center
>[EMAIL PROTECTED]     National Technical University of Athens, Greece
>Work Phone:            +30 10 7721861
>'Go back to the shadow'        Gandalf
>
>
>- 
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to