4

I'm setting up a Cisco ASA as a client vpn server. The appliance is relying on freeradius to authenticate the users. Freeradius has in turn been configured to query OpenLDAP.

The modules/ldap file has been configured to check the groups ownership by using the following filter (members are listed under each group by using the attribute memberUid):

groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{User-Name}))"

The file freeradius/users has this statement:

DEFAULT LDAP-Group != "cn=unixadm,ou=groups,dc=services,dc=company,dc=com", Auth-Type := Reject

I would like to use multiple membership checks, for example to allow only users belonging to a set of groups. Apparently, freeradius fails if more then one group is specified.

I'm looking for a way to list more than one group.

The operating system used for freeradius and openldap is ubuntu 10.04.

Nidal
  • 187
  • 4
  • 11
spidernik84
  • 319
  • 1
  • 5
  • 12

1 Answers1

2

I've found a way! The freeradius/users file has to be configured this way:

DEFAULT LDAP-Group == "cn=unixadm,ou=groups,dc=services,dc=company,dc=com"
DEFAULT LDAP-Group == "cn=developers,ou=groups,dc=services,dc=company,dc=com"
DEFAULT LDAP-Group == "cn=routingadm,ou=groups,dc=services,dc=company,dc=com"
DEFAULT Auth-Type := Reject
Reply-Message = "Sorry, you're not part of an authorized group! Ask ITOPS for authorization."

The rest is the same. Tested to be working as expected!

spidernik84
  • 319
  • 1
  • 5
  • 12