Nick- I have found that we can use any attribute for the access, but I'm trying to expand our use of radius for another type of user login. In this case I've created an LDAP group for the new user role and have created a new radius virtual server to service the specific authentication and accounting. I have added the group membership checking to the ldap module, and set thefilter for posixGroup. The meaningful config changes and output are below-
===============/etc/raddb/modules/ldap (excerpt) groupname_attribute = cn groupmembership_filter = "(&(objectclass=posixGroup)(memberUid=%u))" ===============/etc/raddb/users DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject Reply-Message="You are not allowed to connect" ===============radiusd -X (excerpt) [files] expand: (&(objectclass=posixGroup)(memberUid=%u)) -> (&(objectclass=posixGroup)(memberUid=newhuser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(objectclass=posixGroup)(memberUid=newuser))) [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group newgroup not found or user is not a member. [files] users: Matched entry DEFAULT at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Reject ===============ldapsearch output # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapusergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: new group gidNumber: 895800006 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713481.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
