Re: Ldap Group Attribute radiusGroupName

On Wed, 16 Feb 2005, Chan Min Wai wrote:

> Hello,
>
> Seem to be something is missing somewhere.
> I've follow the same way. But there is still no sight og LDAP-Group in
> the log.
> Below is the log.
>
> Dustin Doris wrote:
> > ldap_howto.txt in the doc directory tells you how, not sure how outdated
>> that is by now, I will be rewriting it sometime this quarter.
>>
>> Anyway, in case it is outdated, here is how I do it now.
>>
>>
>> in radiusd.conf ldap section
>>
>> groupname_attribute = radiusGroupName
>
> Done,
>
>>
>> groupmembership_filter =
>> "(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))"
> The Same
>
>>
>> In the users file on the first line
>>
>> DEFAULT Ldap-Group == disabled, Auth-Type := Reject
>>
>
> Yep 1st Line
>
>> In your ldap entry
>>
>> dn: uid=user,...
>> ...otherstuff...
>> radiusgroupname: disabled
>
> modified
>
> rlm_ldap: Entering ldap_groupcmp()
> radius_xlat: 'dc=optics,dc=net,dc=my, dc=.'
> radius_xlat: '(uid=dcmwai)'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: attempting LDAP reconnection
> rlm_ldap: (re)connect to 203.115.210.254:389, authentication 0
> rlm_ldap: bind as cn=Manager, dc=./password to 203.115.210.254:389
> rlm_ldap: waiting for bind result ...
> rlm_ldap: Bind was successful
> rlm_ldap: performing search in dc=optics,dc=net,dc=my, dc=., with filter
> (uid=dcmwai)
> rlm_ldap: object not found or got ambiguous search result
> rlm_ldap::ldap_groupcmp: search failed

You 've got multiple instances of the ldap module and you 're using the wrong
one to perform group checks. Use:

DEFAULT <ldap_instance>-Ldap-Group == disabled, Auth-Type := Reject

instead

--
Kostas Kalevras Network Operations Center
kkalev@noc.ntua.gr National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html