Hello,
I don't think I have been clear enough:
with the attached LDAP module of the radiusd.conf file, the search
"performing search in DC=firmtest,DC=w2k, with filter (displayName=radius1)" does not work.
If I modify the BaseDN that way: basedn = "OU=outest,DC=firmtest,DC=w2k", it works perfectly.
Then I think I missed something to have a recursive search, and to be able to look under the whole DC=firmtest,DC=w2k (OU or CN included).
Thank you for helping me,
Thierry
On Fri, 25 Jul 2003, simpel wrote:
> Hello,
>
> I would like to configure my freeradius 0.8 to search in a LDAP data base using
> groups. I then tried things on the radiusd.conf file, to use the
> groupname_attribute, groupmembership_filter, groupmembership_filter, and
> groupmembership_attribute attributes, but nothing worked.
>
> My concern is to be able to find users which ar not situated under the same OU, but
> which are all contained in the same group.
>
> Could somebody help me?
>
> Thank you,
>
> Regards,
>
> Thierry
Not sure if this is what you are looking for, but here is an example of
groups with ldap.
in radiusd.conf
groupname_attribute = radiusGroupName
in ldap
uid: example,dc=example,dc=com
uid: example
objectclass: radiusprofile
userPassword: example
radiusGroupName: disabled
in users
DEFAULT Ldap-Group == disabled, Auth-Type := Reject
Reply-Message = "Account Disabled"
So what would happen is the user would be authorized and radius would
do a lookup to see if they belonged to the group disabled. If it exists,
then the user will be rejected. If not, then the users file will continue
to be parsed. You'd have another default under that one that specified
what actions for users that are not disabled.
Hope that helps.
Dustin Doris
> Hello,
>
> I would like to configure my freeradius 0.8 to search in a LDAP data base using
> groups. I then tried things on the radiusd.conf file, to use the
> groupname_attribute, groupmembership_filter, groupmembership_filter, and
> groupmembership_attribute attributes, but nothing worked.
>
> My concern is to be able to find users which ar not situated under the same OU, but
> which are all contained in the same group.
>
> Could somebody help me?
>
> Thank you,
>
> Regards,
>
> Thierry
Not sure if this is what you are looking for, but here is an example of
groups with ldap.
in radiusd.conf
groupname_attribute = radiusGroupName
in ldap
uid: example,dc=example,dc=com
uid: example
objectclass: radiusprofile
userPassword: example
radiusGroupName: disabled
in users
DEFAULT Ldap-Group == disabled, Auth-Type := Reject
Reply-Message = "Account Disabled"
So what would happen is the user would be authorized and radius would
do a lookup to see if they belonged to the group disabled. If it exists,
then the user will be rejected. If not, then the users file will continue
to be parsed. You'd have another default under that one that specified
what actions for users that are not disabled.
Hope that helps.
Dustin Doris
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
ldap {
authtype = ldap
server = "my_Active_Directory_server"
identity = "CN=radiustest,CN=Users,DC=firmtest,DC=w2k"
password = radiustest
basedn = "DC=firmtest,DC=w2k"
filter = "(displayName=%{Stripped-User-Name:-%{User-Name}})"
ldap_debug = 0x0028
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
start_tls = no
# set this to 'yes' to use TLS encrypted connections to the
# LDAP database by passing the LDAP_OPT_X_TLS_TRY option to
# the ldap library.
tls_mode = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_attr = "msNPAllowDialin"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
password_attribute = description
#groupname_attribute = cn
#groupmembership_filter =
"(|(&(objectClass=Radius)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
#groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
#groupmembership_attribute = "CN=Radius,CN=Users,DC=altadis,DC=w2K"
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
