One question relating to this is about the /etc/raddb/users file- It doesn't seem to work as it's documented, If I have a group set to be rejected based on its membership like this:
DEFAULT Group="disabled", Auth-Type:=Reject radius doesn't even check for group membership. The only way it seems to get directed to check membership is with a negative check (!=). DEFAULT LDAP-Group!="newgroup", Auth-Type:=Reject Regardless, I still can't figure out what filter would validate the user "newuser" as a member of "newgroup"- performing search in cn=accounts,dc=abc,dc=xyz, with filter (&(cn=newgroup)(&(memberOf="cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz")(uid=newuser))) This is the output of the ldapsearch that shows the group and the fact that the user is a member- # LDAPv3 # base <cn=accounts,dc=abc,dc=xyz> with scope subtree # filter: (&(cn=newgroup)) # requesting: ALL # # newgroup, groups, accounts, abc.xyz dn: cn=newgroup,cn=groups,cn=accounts,dc=abc,dc=xyz objectClass: top objectClass: groupofnames objectClass: nestedgroup objectClass: ldapsergroup objectClass: ldapobject objectClass: posixgroup cn: newgroup description: switch administrators gidNumber: 895800006 ipaUniqueID: 5de42704-ab1d-11e1-8e07-525400579da7 member: uid=newuser,cn=users,cn=accounts,dc=abc,dc=xyz -- View this message in context: http://freeradius.1045715.n5.nabble.com/Radius-authentication-against-LDAP-question-tp5713463p5713503.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
