Hello, We are using freeradius with a ldap backend for my users. We have a few services authenticating against the radius server that need to filter some groups of users
For users we have a posix schema: Our users has the posixAccount schema whith its main group in the attribute gidNumber. Something like this: dn: uid=myuser,ou=Users,dc=domain.com objectClass: posixAccount objectClass: shadowAccount objectClass: CourierMailAccount uid: myuser uidNumber: 123456 gidNumber: 1001 loginShell: /bin/bash mail: [EMAIL PROTECTED] ... For the group entry we have: dn: cn=groupA,ou=Groups,dc=domain.com cn: groupA gidNumber: 1001 objectClass: posixGroup objectClass: top For user's secondary groups we have: dn: cn=groupB,ou=Groups,dc=domain.com cn: groupB gidNumber: 1002 objectClass: posixGroup objectClass: top memberUid: myuser so, this user belongs to groupA (main group) and groupB (secondary group). This is similar to /etc/passwd and /etc/group files. What I want is that the below users' entry reject access to user "myuser": DEFAULT Ldap-Group == "groupB", Auth-Type := Reject Reply-Message = "groupB users are not allowed to login" I am trying varios configurations but I don't get the good one. I have try to configure as: groupname_attribute = gidNumber groupmembership_filter = "(&(objectClass=posixAccount)(uid= %{Stripped-User-Name:-%{User-Name}}))" groupmembership_attribute = uid but with this configuration I can filter just by the main group (myuser is still allowed). The configuration: groupname_attribute = cn groupmembership_filter = "(&(objectClass=posixGroup)(memberUid= %{Stripped-User-Name:-%{User-Name}}))" groupmembership_attribute = memberUid seems to look just in secondary groups. Is there any way to configure taking count of main and secondary groups with this structure? Thanks in advance -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica _(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html