On Thu, 14 Jul 2005, Shelbyville.Unwired wrote: > I would like to check group membership before authenticating user > login requests. > > I currently have radiusd.conf setup such that all users can login. > However after spending several days reading man pages, and searching > these archives I haven't found the key that unlocks my problem. > > radiusd.conf > > # <snip> > > ldap { > server = "xx.xx.xx.xx" # ad server address > identity = "cn=some_user,cn=users,dc=domain,dc=com" # bind account > password = "xxx" # bind account password > basedn = "cn=users,dc=domain,dc=com" # base dn > filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" # uid > start_tls = no # nope > dictionary_mapping = ${raddbdir}/ldap.attrmap # default > ldap_connections_number = 5 # why not > password_attribute = userPassword # no need to explain > > # ok this is where things get real fuzzy - I've read rlm_ldap several times... > > timeout = 4 > timelimit = 3 > net_timeout = 1 > } > > Users file remains untouched. > > Specifically what else do I need to if a user is a member of XYZ_group > and if so authenticate them. > > Any help would be greatly appreciated. TYIA. >
You will define where to search for group memberships in that section above. You left out the configs above. Look for groupname_attribute, groupmembership_filter and groupmembership_attribute. Configure those for how you have groups setup. Then in users file you can define to check for group membership. eg: DEFAULT Huntgroup-Name == dial, Ldap-Group == dial DEFAULT Huntgroup-Name == adsl, Ldap-Group == adsl DEFAULT Auth-Type := Reject That says must have dial group if the request comes from a NAS in the dial huntgroup, must have adsl from an adsl nas, otherwise reject. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html