Petr "Qaxi" Klíma wrote:
Hello
I am using freeradius (1.0.1) with SUN directory server (5.2)
Authentication (username:password) works well but I do not know how to
use LDAP for group mapping (to Ldap-Group).
The problem:
in SUN DS there are groups defined in two ways (If you use SUN JES
system)
===================================================
"subscribe group"
$ ldapsearch cn=gprs_subscr
dn: cn=gprs_subscr,ou=Groups,dc=myorg
cn: gprs_subscr
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
objectClass: iplanet-am-managed-assignable-group
objectClass: iplanet-am-managed-group
memberURL:
ldap:///dc=myorg??sub?memberof=cn=gprs_subscr,ou=Groups,dc=myorg
iplanet-am-group-subscribable: false
===================================================
or
"filteredgroup"
===================================================
$ ldapsearch cn=gprs_filter
dn: cn=gprs_filter,ou=Groups,dc=myorg
cn: gprs_filter
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
objectClass: iplanet-am-managed-filtered-group
objectClass: iplanet-am-managed-group
memberURL: ldap:///dc=myorg??sub?(&(uid=k*)(o=mysuborg))
===================================================
How should I set groupmembership_filter or how should I use do_xlat (I
probably misunderstand the feature)
The FreeRADIUS ldap module supports *static* ldap groups. These groups
are implemented either as a group entry containing member DN's or as a
group membership attribute
in the user entries. What you are looking for (evaluating the memberURL
attribute during group evaluation) cannot be done in an efficient way.
The memberURL is mostly an
informational attribute used when browsing groups. You will have to use
one of the two methods supported for ldap groups to work. Dynamic groups
are costly and should be
implemented on the ldap server side.
Thanks for any help
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html