You need to store them in ldap with the +=. Now you probably have it like this:
dn: ... securityrole: testgroup1 securityrole: testgroup2 securityrole: Users change it to this dn: ... securityrole: testgroup1 securityrole: += testgroup2 securityrole: += Users That should send back all of them. If its easier you could make them all += if you'd like and it should still work. -Dusty Doris On Fri, 18 Jun 2004, Rivera, Denis wrote: > Thank you for the reply. > Here is the output from radius. The problem im having is that only one group > name is returned. As show below I have value testgroup2 and users not being > returned. > > Ready to process requests. > rad_recv: Access-Request packet from host 10.32.2.108:1142, id=3, length=48 > User-Name = "testuser" > User-Password = "test123" > modcall: entering group authorize for request 0 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for testuser > radius_xlat: '(uid=testuser)' > radius_xlat: 'o=PUSD,c=US' > ldap_get_conn: Got Id: 0 > rlm_ldap: attempting LDAP reconnection > rlm_ldap: (re)connect to 127.0.0.1:389, authentication 0 > rlm_ldap: bind as / to 127.0.0.1:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: performing search in o=PUSD,c=US, with filter (uid=testuser) > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding ntPassword as NT-Password, value > C5A237B7E9D8E708D8436B6148A25FA1 & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: Adding securityRole as Filter-Id, value testgroup1 & op=11 > rlm_ldap: Adding securityRole as Filter-Id, value testgroup2 & op=11 > rlm_ldap: Adding securityRole as Filter-Id, value Users & op=11 > rlm_ldap: user testuser authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "files" returns notfound for request 0 > modcall[authorize]: module "eap" returns noop for request 0 > modcall: group authorize returns ok for request 0 > rad_check_password: Found Auth-Type LDAP > auth: type "LDAP" > modcall: entering group authenticate for request 0 > rlm_ldap: - authenticate > rlm_ldap: login attempt by "testuser" with password "test123" > rlm_ldap: user DN: uid=testuser,ou=Information Technology,o=PUSD,c=US > rlm_ldap: (re)connect to 127.0.0.1:389, authentication 1 > rlm_ldap: bind as uid=testuser,ou=Information Technology,o=PUSD,c=US/test123 > to 127.0.0.1:389 > rlm_ldap: waiting for bind result ... > rlm_ldap: user testuser authenticated succesfully > modcall[authenticate]: module "ldap" returns ok for request 0 > modcall: group authenticate returns ok for request 0 > Login OK: [testuser/test123] (from client edcenter port 0) > Sending Access-Accept of id 3 to 10.32.2.108:1142 > Filter-Id = "testgroup1" > Finished request 0 > > > -----Original Message----- > > From: Dustin Doris [mailto:[EMAIL PROTECTED] > > Sent: Thursday, June 17, 2004 11:12 AM > > To: '[EMAIL PROTECTED]' > > Subject: Re: LDAP groups send reply > > > > > > > > > Hello, > > > > I would like to know if this is possible > > > > Send a Class or Filter-Id attribute to the NAS, with the content > > > > being the names of the LDAP groups to which the user belongs. > > > > > > > > Thank you, > > > > denis > > > > > > > > > > How does the NAS expect the group to come back? > > > > > > Class: > > > > > > Sorry, I guess I hit send too early. What I meant was what radius > > attribute the nas expecting for the groups? An example could be the > > radius attribute Class. > > > > In that case, you would make sure the following is in ldap.attrmap > > replyItem Class radiusClass > > > > Then in your ldap directory, you would store the reply items. > > > > radiusClass: "OU=group.com;" > > > > The one above is an example for Cisco VPN concentrators. > > > > Need to add more use +=, read the man page on users. > > > > > > > > -Dusty Doris > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
