(RADIATOR) <AuthBy LDAP2> and Group membership checks?

Jan Tomasek jan at tomasek.cz
Fri Sep 2 03:08:03 CDT 2005 

Hi,

> I have this working successfully with the following config. Hope it is
> useful.
> 
> <Realm blahblah>
> 	RewriteUsername s/^([^@]+).*/$1/	
> <AuthBy LDAP2>
> 	Identifier	xxxLDAP
> 	Host	xx.xx.xx.xx
> 	Port	389
> 	AuthDN	cn=someacct,cn=Users,dc=xxxnet,dc=net
> 	AuthPassword	somepasswd
> 	BaseDN	ou=XXX Users,dc=xxxnet,dc=net
> 	ServerChecksPassword
> 	UsernameAttr	sAMAccountName
> 	SearchFilter
> (&(%0=%1)(memberOf=CN=somegroup,OU=Security,OU=Groups,DC=xxxnet,DC=net))
> </AuthBy>
> 	# Log accounting to the detail file in LogDir
> 	AcctLogFileName %L\XXX\%Y%m.log
> </Realm>

This requires that each user entry has attribute memberOf.

| [02/Sep/2005:09:38:09 +0200] conn=2160967 op=1 msgId=10 - SRCH
| base="dc=cesnet,dc=cz" scope=2
| filter="(&(uid=semik)(memberOf=cn=Employees,ou=Groups,dc=cesnet,dc=cz))"
| attrs="tacuserpassword"

This is same way as dynamic groups which were sugested Ingvar. I need
configure radiator to check specified group in 2nd step after sucessfull
password check.

Our user groups are static, we need distributute group management between
diferenet people, but nobody of them can get permision modify user's entry.

Thanks you both for your time. I'm posting configuration I used in reply to
Hugh's post.

Best regards
-- 
--------------------------------------------------------------
Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
http://www.tomasek.cz/                Zikova 4, 160 00 Praha 6
                                      Czech Republic
phone(work): +420 2 2435 5279         http://www.cesnet.cz/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050902/56b7f792/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050902/56b7f792/attachment-0001.bin>

More information about the radiator mailing list