Thank you Peter for your email. I hadn't come across them in the list
search.
On 2/11/2010 14:16, Alan DeKok wrote:
Hugh Blandford wrote:
would mean you could add the attribute radiusGroupName to a user's entry
and it would then look up the relevant GroupofNames and add those
attributes to the return items. However, when I add radiusGroupName to
a user's entry I don't see any groupname lookups in the debug at all.
No. The documentation does not say it works that way.
When using the following sort of DEFAULT entry:
Ldap-Group == flat10000, User-Profile :=
"uid=flat10000,ou=profiles,ou=radius,ou=wl,dc=example,dc=org"
there is no relevance to
groupmembership_attribute = radiusGroupName
Reading the rlm_ldap document. I thought that the
groupmembership_attribute was specified in the user entry which was then
used to fetch the group information.
# groupmembership_attribute: The attribute in the user entry that
states
# the group the user belongs to. The attribute can either contain the
# group name or the group DN. If it contains the group DN
# groupmembership_attribute will also be used to find the group's
name.
# The attribute will be used after a search based on the
# groupname_attribute and groupmembership_filter has failed. default:
# NULL - don't search for a group based on attributes in the user
entry.
Alan I'm not saying you are wrong :-) more I don't understand under what
circumstances / how it is used.
I do not see any group searching done in the debugs unless I specify an
LDAP-Group entry in the users file.
I thought that with groupmembership_attribute = radiusGroupName set and
an entry like
radiusGroupName = disabled or cn=disabled,ou=............. etc in a user
entry it would return additional attributes listed in the disabled group.
What I actually want to do is might not be solved best by LDAP groups.
Most of our customers are in different VRFs and this, the loopback
address and DNS servers etc are returned. Rather than store this
information under each user I would like to have template that I refer
to. However, at the same time, having 50+ default entries didn't seem
the right way to do it either.
That's what groups are for.
Is it sensible to have 50 or so DEFAULT LDAP-Group entries? Or does
that show that I have totally failed in understanding what/how
FreeRADIUS should be used.
Thanks for your help.
Hugh
--
Hugh Blandford
Island Internet
ph 1300 130 428
mb 0412 016 875
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
