Hi all,
have set up freeRadius with edir a couple of times now, but am looking to try and streamline the process with less fiddling with individual accounts

I'd like to configure freeRadius for either of the following:

Authentication based on group membership in eDir, or have the profile setting that I create actually apply to the users that I assign the profile to

previously i've had to assign the settings to each user manually (eg dialupaccess) even though it's in the profile

I've looked at TID 3002371 and it hasn't helped me at all

If I remove the access_attr_used_for_allow = yes and access_attr = "dialupAccess" line from the radius.conf file then any user can use radius which is ok, but I would much prefer radius to either use the settings in the profile like I would expect it to, or use the group membership to work out who can have radius access

As a test i've added the following lines to the users file:

DEFAULT Ldap-Group == "test", Auth-Type = LDAP
Fall-Through = 0

DEFAULT Auth-Type = Reject
Fall-Through = 1

And here's the LDAP portion of the radius.conf file:

ldap {
server = "192.168.93.10"
identity = "cn=admin,o=cluster"
password = somepassword
basedn = "o=cluster"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
port = 636
# base_filter = "(objectclass=radiusprofile)"

# set this to 'yes' to use TLS encrypted connections
# to the LDAP database by using the StartTLS extended
# operation.
# The StartTLS operation is supposed to be used with normal
# ldap connections instead of using ldaps (port 689) connections
start_tls = no

tls_cacertfile = /etc/raddb/cert.b64
# tls_cacertdir = /path/to/ca/dir/
# tls_certfile = /path/to/radius.crt
# tls_keyfile = /path/to/radius.key
# tls_randfile = /path/to/rnd
tls_require_cert = "demand"

default_profile = "cn=radius,o=cluster"
profile_attribute = "cn=radius,o=cluster"
access_attr = "dialupAccess"

# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap

ldap_connections_number = 5

#
# NOTICE: The password_header directive is NOT case insensitive
#
# password_header = "{clear}"
#
# Set:
password_attribute = nspmPassword
#
# to get the user's password from a Novell eDirectory
# backend. This will work *only if* freeRADIUS is
# configured to build with --with-edir option.
#
#
# The server can usually figure this out on its own, and pull
# the correct User-Password or NT-Password from the database.
#
# Note that NT-Passwords MUST be stored as a 32-digit hex
# string, and MUST start off with "0x", such as:
#
# 0x000102030405060708090a0b0c0d0e0f
#
# Without the leading "0x", NT-Passwords will not work.
# This goes for NT-Passwords stored in SQL, too.
#
# password_attribute = userPassword
#
# Un-comment the following to disable Novell eDirectory account
# policy check and intruder detection. This will work *only if*
# FreeRADIUS is configured to build with --with-edir option.
#
edir_account_policy_check=yes
#
# groupname_attribute = cn
# groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(unique member=%{Ldap-UserDn})))"
# groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
# compare_check_items = yes
# do_xlat = yes
access_attr_used_for_allow = yes

#
# By default, if the packet contains a User-Password,
# and no other module is configured to handle the
# authentication, the LDAP module sets itself to do
# LDAP bind for authentication.
#
# You can disable this behavior by setting the following
# configuration entry to "no".
#
# allowed values: {no, yes}
# set_auth_type = yes
}