[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: unlang post-auth group-name
From: Phil Mayers <p.mayers () imperial ! ac ! uk>
Date: 2010-09-27 12:44:25
Message-ID: 4CA091A9.4000103 () imperial ! ac ! uk
[Download RAW message or body]
On 27/09/10 11:44, Cameron Wood wrote:
> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))"
> groupmembership_attribute = radiusGroupName
>
>
> Attached is a debug log of my logon attempts with these settings, which
> still fails unfortunately.
The filter is invalid. You're missing a trailing ")" which is easily
done in the stupid LDAP filter syntax.
>
>
> If you can query LDAP directly, do so. Do not use rlm_unix for LDAP
> queries, even if nssswitch is setup for it.
>
>
> Noted, are you able to elaborate on why this is the case though, just
> like to understand, only if its not too much trouble though.
Two main reasons: firstly, doing the LDAP lookups indirectly via
rlm_unix is difficult to debug (as we are finding).
Secondly, doing the LDAP lookups directly gives you a more rich
interface to the underlying LDAP data. Doing it via rlm_unix limits you
to schema elements present in the posix LDAP schema and get*ent calls.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic