[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: unlang post-auth group-name
From:       Phil Mayers <p.mayers () imperial ! ac ! uk>
Date:       2010-09-27 12:44:25
Message-ID: 4CA091A9.4000103 () imperial ! ac ! uk
[Download RAW message or body]

On 27/09/10 11:44, Cameron Wood wrote:

> groupname_attribute = cn
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=posixGroup)(memberUid=%{control:Ldap-UserDN}))"
>  groupmembership_attribute = radiusGroupName
> 
> 
> Attached is a debug log of my logon attempts with these settings, which
> still fails unfortunately.

The filter is invalid. You're missing a trailing ")" which is easily 
done in the stupid LDAP filter syntax.

> 
> 
> If you can query LDAP directly, do so. Do not use rlm_unix for LDAP
> queries, even if nssswitch is setup for it.
> 
> 
> Noted, are you able to elaborate on why this is the case though, just
> like to understand, only if its not too much trouble though.

Two main reasons: firstly, doing the LDAP lookups indirectly via 
rlm_unix is difficult to debug (as we are finding).

Secondly, doing the LDAP lookups directly gives you a more rich 
interface to the underlying LDAP data. Doing it via rlm_unix limits you 
to schema elements present in the posix LDAP schema and get*ent calls.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]