checkout doc/rlm_ldap. It explains how to setup the ldap groups. If you
want to add a groupmembership attributes to each user then check out
http://doris.cc/radius
Hope that helps.
On Fri, 23 Jan 2004, Kevin M. Myer wrote:
> Hello,
>
> I have a LDAP directory server, with users and groups stored in domain component
> trees. For authentication credentials, I'm having users supply their email
> address and using the domain to determine the realm. In my "users" file, I
> have a bunch of DEFAULT entries that use the realm to set Autz-Type and
> Auth-Type. In radiusd.conf, I have multiple ldap modules defined and the
> respective Autz-Type and Auth-Type entiries that point to them, based on the
> domain name. This is basically the scenario that is described in doc/Autz-Type
> and it works just fine.
>
> However, in addition to the user existing, I also want to throw a check in to
> verify that they have membership in a particular group. So I've added a
> Ldap-Group item to each item in the "users" file that specifies the DN of the
> group I want to enforce membership in. However, I can't seem to hit upon the
> proper syntax to do this. So what syntax do you use to enforce LDAP group
> membership for a given realm?
>
> Using the Autz-Type example as a base might make it clearer than my description
> above, the basedn isn't really what I'm using but sed
> s/customer1/dc=example1,dc=com/ and s/customer2/dc=example2,dc=com/ and you
> have something close:
>
> radiusd.conf-----------------
>
> modules ldap ldap1{....basedn = "customer1" }
> ldap ldap2{....basedn = "customer2" }
>
> authenticate{
> Auth-Type customer1{
> ldap1
> }
> Auth-Type customer2{
> ldap2
> }
> }
>
> authorize{
> preprocess
> suffix
> Autz-Type customer1{
> ldap1
> }
> Autz-Type customer2{
> ldap2
> }
> files
> }
>
> -----------------------------
>
> users file-------------------
> DEFAULT Realm == "customer1", Autz-Type := customer1, Auth-Type := customer1
> DEFAULT Realm == "customer2", Autz-Type := customer2, Auth-Type := customer2
>
> What I'd like to do is something like:
>
> DEFAULT Realm == "customer1", Ldap-Group ==
> "cn=groupname,ou=Groups,dc=example1,dc=com",Autz-Type := customer1, Auth-Type
> := customer1
> DEFAULT Realm == "customer2", Ldap-Group ==
> "cn=groupname,ou=Groups,dc=example2,dc=com",Autz-Type := customer2, Auth-Type
> := customer2
>
> However, with that syntax, I'm finding that everything falls through to the last
> line where I define a realm and tries to enforce membership in that group,
> which always fails. My understanding was that Fall-Through defaulted to No, so
> that if the first realm was matched, a group membership lookup would occur for
> that realm, if that succeeded then Autz-Type and Auth-Type would be set and the
> whole process would move on.
>
> But, in reading the thread recently, entitled "multiple module lookups when only
> one should be used", I'm wondering if my understanding of how this actually
> occurs is wrong.
>
> I swear I had this working the way I expected it to in 0.9.0 but I've been
> running 0.9.3 since early December and it apparently hasn't been working since
> at least then. I vaguely remember tweaking one of the rlm_ldap.c filters in
> 0.9.0 but of course, I can't find whatever patch I wrote for it and there
> definitely is very little difference between rlm_ldap.c in 0.9.0 and 0.9.3.
> But maybe some other behaviour changed somewhere along the line as well.
>
> Any thoughts?
>
> Thanks,
> Kevin
>
> --
> Kevin M. Myer
> Systems Administrator
> Lancaster-Lebanon Intermediate Unit 13
> (717) 560-6140
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
