We are using freeradius with a ldap backend for my users. We have a few
services authenticating against the radius server that need to filter
some groups of users

        For users we have a posix schema: Our users has the posixAccount schema
whith its main group in the attribute gidNumber. Something like this:

dn: uid=myuser,ou=Users,dc=domain.com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: CourierMailAccount
uid: myuser
uidNumber: 123456
gidNumber: 1001
loginShell: /bin/bash

        For the group entry we have:

dn: cn=groupA,ou=Groups,dc=domain.com
cn: groupA
gidNumber: 1001
objectClass: posixGroup
objectClass: top

        For user's secondary groups we have:

dn: cn=groupB,ou=Groups,dc=domain.com
cn: groupB
gidNumber: 1002
objectClass: posixGroup
objectClass: top
memberUid: myuser

        so, this user belongs to groupA (main group) and groupB (secondary
group). This is similar to /etc/passwd and /etc/group files.

        What I want is that the below users' entry reject access to user

DEFAULT Ldap-Group == "groupB", Auth-Type := Reject
        Reply-Message = "groupB users are not allowed to login"

        I am trying varios configurations but I don't get the good one. I have
try to configure as:

groupname_attribute = gidNumber
groupmembership_filter = "(&(objectClass=posixAccount)(uid=
groupmembership_attribute = uid

        but with this configuration I can filter just by the main group (myuser
is still allowed).

        The configuration:

groupname_attribute = cn
groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=
groupmembership_attribute = memberUid

        seems to look just in secondary groups.

        Is there any way to configure taking count of main and secondary groups
with this structure?

        Thanks in advance

Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información       _o)
y las Comunicaciones Aplicadas (ATICA)      / \\
http://www.um.es/atica                    _(___V
Tfo: 968367590
Fax: 968398337

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to