groupmembership_filter for LDAP module [sec: unclas]
alexeim at orcsoftware.com
Tue Aug 22 15:08:36 CEST 2006
Thanks for your advice!
Something is still missing....
Here is what I have in LDAP section of radiusd.conf
basedn = "dc=mydomain,dc=com"
groupname_attribute = "cn"
And in "users"
DEFAULT Auth-Type = LDAP
DEFAULT LDAP-Group == vpnusers
Service-Type = Administrative-Use
radiusd -X says when reading LDAP section
ldap: basedn = "dc=mydomain,dc=com"
ldap: filter =
ldap: base_filter = "(objectclass=radiusprofile)"
ldap: default_profile = "(null)"
ldap: profile_attribute = "(null)"
ldap: password_header = "(null)"
ldap: password_attribute = "(null)"
ldap: access_attr = "(null)"
ldap: groupname_attribute = "cn"
ldap: groupmembership_filter =
ldap: groupmembership_attribute = "(null)"
ldap: dictionary_mapping = "/usr/local/etc/raddb/ldap.attrmap"
ldap: ldap_debug = 0
ldap: ldap_connections_number = 5
ldap: compare_check_items = yes
ldap: access_attr_used_for_allow = yes
ldap: do_xlat = yes
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
But it says nothing about any search for "vpnusers" group during login,
which is still successful for users outside the group....
on 8/22/2006 9:47 AM Ranner, Frank MR wrote:
> -----Original Message-----
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freeradius.or
> [mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freer
> adius.org] On Behalf Of Alexei Monastyrnyi
> Sent: Tuesday, 22 August 2006 07:12
> To: FreeRadius users mailing list
> Subject: groupmembership_filter for LDAP module
> Hi List.
> I am trying to enable group filter to allow only certain LDAP users to
> be able to login to my VPN hub.
> I run FreeRADIUS 1.0.2 on SPARC Solaris 9
> All users are in group
> listed as "memberUid"s
> In radiusd.conf I have the following
> filter =
> groupmembership_filter =
> groupmembership_attribute = "vpnusers"
> It doesn't seem to work, no sign of searching for "vpnusers" in LDAP
> server logs and users that are not in this group are still able to log
> I may be missing something... Hints of where to look would be highly
> 1. You need to have an LDAP-Group check item in users:
> DEFAULT LDAP-Group == vpnusers
> Service-Type = Administrative-User
> 2. You need groupname_attribute. This is ANDed to the filter to provide
> groupname_attribute = cn
> 3. Your filter is overcomplicated, all you need is this:
> The rlm_ldap module adds on (cn=vpnusers) as a result of items 1 and
> That's it. As long as the other stuff is right like the binddn, the base
> dn this
> should at least generate ldap activity in the radiusd -X output.
> Frank Ranner
More information about the Freeradius-Users