Now that I have FreeRADIUS authenticating users via MSCHAPv2 and the
sambaNTPassword attributes, the next step in my project is to limit the system
so that only users in certain user groups can log in.
I'm using posixGroup groups, not groupOfNames or groupOfUniqueNames.
In my modules/ldap files I have:
groupname_attribute = "cn"
groupmembership_attribute = "memberUid"
groupmembership_filter = "(memberUid=%{Stripped-User-Name:-%{User-Name}})"
In my users I have
DEFAULT LDAP-Group == foo
However, even with these configuration options set, anyone with a valid login
and password can authenticate right now. In my "radiusd -X" I see:
rlm_ldap: performing search in dc=blah, with filter (&(cn=foo)(memberUid=test))
rlm_ldap: object not found or got ambiguous search result
But it then goes on the authenticate the user anyhow:
rlm_ldap: user test authorized to use remote access
I looked around on Google, and I see -lots- of stuff about configuring LDAP
group checks, but I haven't found anything that's all too helpful right now.
Is there some option that I have to set to tell the system to ignore a user
that's not in the proper group?
And then the follow-up question to this will be: is it possible to configure
FreeRADIUS to check for membership in more than one group? Put another way,
how can I let the system authenticate users in the "foo" group -or- in the
"bar" group?
Tim Gustafson
SOE Webmaster
UC Santa Cruz
[email protected]
831-459-5354
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
