Hugh Blandford wrote:
> I have been experimenting with using FreeRADIUS and LDAP, trying to get
> some understanding of how groups are handled.
The LDAP-Group attribute checks if the user is in a particular LDAP
group. That's it.
> I can place an LDAP group name in the users file and then have my LDAP
> user checked against it and return the relevant attributes.
That's how it works.
> However, I was hoping to not use the users file. I was hoping that:
>
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>
> groupmembership_attribute = radiusGroupName
>
> would mean you could add the attribute radiusGroupName to a user's entry
> and it would then look up the relevant GroupofNames and add those
> attributes to the return items. However, when I add radiusGroupName to
> a user's entry I don't see any groupname lookups in the debug at all.
No. The documentation does not say it works that way.
> What I actually want to do is might not be solved best by LDAP groups.
> Most of our customers are in different VRFs and this, the loopback
> address and DNS servers etc are returned. Rather than store this
> information under each user I would like to have template that I refer
> to. However, at the same time, having 50+ default entries didn't seem
> the right way to do it either.
That's what groups are for.
You can use "unlang" to do more complex configurations than are
allowed in the "users" file.
Alan DEKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
