Hi Alan~
>> You already said you are now running 2.1.12. Why are you repeating
>> yourself? Do you think we're stupid, and we don't understand your messages?
>> What version WERE you using before this? I asked, and you didn't say that.
>>
Current: radiusd: FreeRADIUS Version 2.1.12, for host i386-apple-darwin12.0,
built on Jun 20 2012 at 16:50:26 (Mountain Lion)
Previous: radiusd: FreeRADIUS Version 2.1.3, for host i386-apple-darwin10.0,
built on Apr 11 2011 at 17:19:07 (Snow Leopard)
> DEFAULT Group-Name == "testgroup"
>
> Tunnel-Type = 13,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-Id = "101",
> Fall-Through = no
> You do realize that format is incorrect, right? The extra blank line is
> wrong.
Do to email pasting mistake. Actual config does not have blank line.
> You already said that. Why are you repeating yourself? I didn't ask for
> this debug output. I didn't suggest you were lying about it. You already
> said REPEATEDLY that "it works with User-Name". Maybe you think it's helpful
> to repeat yourself, and post enough useless output? The problem here is NOT
> that something changed. The problem is that YOU are REFUSING to find out
> what changed. YOU are REFUSING to use simple debugging methods to track down
> what changed.
Only tried to re-state the issue more clearly as I assumed my explanation was
unclear. I have no doubt that this forum knows far more about freeradius than
I do.
I realize the explanation "nothing changed / it doesn't work" get's old... but
I don't know what to tell you. I'm assuming that the Group-Name field is not
being set anymore via the OpenDirectory module included in Apple's latest
freeradius deployment? maybe so, maybe not? (I don't know)
In the meantime... assuming the group is no longer passed back via
OpenDirectory... I've attempted to perform an LDAP query via the authorize
section /etc/raddb/sites-enabled/default to help retrieve the Group-Name.
I have now made the following modifications:
####################
/etc/raddb/sites-enabled/default
####################
authorize {
...
# uncomment ldap
ldap
...
}
####################
/etc/raddb/modules/ldap
####################
ldap {
...
server = "myserver.mydomain.com"
basedn = "dc=myserver,dc=mydomain,dc=com"
filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
base_filter = "(objectclass=posixAccount)"
...
groupname_attribute = cn
groupmembership_filter = "(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})"
...
ldap_debug = 0x0028
...
}
####################
/etc/raddb/users
####################
...
DEFAULT Ldap-Group == "testgroup"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = "101",
Fall-Through = no
DEFAULT Ldap-Group == "testgroup2"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = "102",
Fall-Through = no
Preliminary testing of the above appears to work. The server appears to allow
authentication via OpenDirectory, and group VLAN tagging via LDAP queries to
OpenDirectory for group membership tracking. I will continue to test.
I realize that the Apple platform for freeradius probably represents a minority
user base. My hope is that anyone else encountering a similar issue may be
helped by these posts. We have found that Apple's default
OpenDirectory/OpenLDAP attribute mappings for memberUid (and etc) are slightly
different than other linux distributions (so perhaps someone else can benefit
from the rough draft above).
Feedback and questions are welcome if any of the above configurations look
blatantly wrong or could be made better. I appreciate the help and patience.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
