Hi Alan,
I changed "Group" to "Ldap-Group" in users file, however, Freeradius can not find the group name I specify in users file. I think the reason is the basedn
("ou=people,dc=richard,dc=com") I set in radiusd.conf is for user only, the group is binded with a different basedn ("ou=group,dc=richard,dc=com"). So, ldap_groupcmp() can not find the group in the
basedn ("ou=people,dc=richard,dc=com"). Since I don't want to authenticate the groupmembership, just want to get the name of the group to which the user is belong, I don't think I need to configure any group authentication for LDAP.
The result is the user is authenticated, but the Tunnel-Private-Group-ID is not assigned in the Access-Accept message because no group name matches.
When I changed it back, it works fine. I am not sure what "Group" represents in Freeradius. I only configured group "1" and group "10" in LDAP. I did test as follow.
I changed name of group "10" to group "20" in LDAP, and keep all other configurations. When the user who was in group "10" before and in group "20" now tried to be authenticated, it is successful except no
Tunnel-Private-Group-ID assigned since there is no group "20" in users file. So, I assume the "Group" does have something to do with ldap group.
I am using SuSE enterprise server 10 and the OpenLDAP integrated with it. Do you think the groups configured in LDAP has some relationship with the Unix group you mentioned?
Richard
On 10/31/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
"Richard" <[EMAIL PROTECTED]> wrote:
> Right now the situation is the RADIUS can authenticate the user in
> LDAP. But the group attribute does work.
As I said before, "Group" is for Unix groups. If you want to check
LDAP groups, you should use the LDAP-Group attribute.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
