rlm_ldap and multiple ldap calls?

Alexander Clouter alex at digriz.org.uk
Wed Dec 24 00:34:56 CET 2008 

JR Mayberry <mayberry at loonybin.net> wrote:
> 
> I'm not really sure if I'm doing this right, maybe someone can provide 
> guidance. I have two problems a) how to structure my directory and b) how to do 
> two lookups in rlm_ldap.
> 
> But, effectively, LDAP is our authorization store and I'm proxying RADIUS to an 
> RSA server for authentication only. We're removing all authorization from RSA.
> 
> So, I've got devices in ou=Hosts,dc=blah,dc=com that are following the ipHost 
> objectClass. Basically, I need a mechanism to put those devices into 
> 'groupOfIpHosts' - which isn't a real concept.
> 
> So, I use the 'seeAlso' attribute to reference a group of systems for that 
> particular ipHost.
> 
> Then, I lookup that group and check if the user authenticating is a 
> uniqueMember in that group.
> 
> So, I'm basically doing two ldap lookups. Right now, I'm doing it in an 
> rlm_perl module which has obvious disadvantages (ldap persistence).
> 
> So
> a) is there a better way to structure my directory?
>
Without knowing properly what you are doing, your situation and where 
you want to go with this later down the line, it's hard to tell.  That 
ipHostNumber is being used as an index makes feel that there is 
something iffy with the direction that you are taking...this can be 
taken off list if you do want to continue it.

> b) can I do multiple ldap lookups using rlm_ldap to achieve same end goal?
> 
The rlm_ldap module, regardless what others say, can be persuaded to do 
what you want.

> LDAP calls looks like this now
> 
> 1) get the hosts group
> 
>         $mesg = $ldap->search(
>                         base   => "ou=Hosts,dc=comcast,dc=com",
>                         filter => "(&(ipHostNumber=$ipaddress))",
>                         attrs => ["seeAlso"],
>                              );
> ## returns group membership into $group
> 
basedn = "ou=Hosts,dc=comcast,dc=com"
filter = "(&(objectclass=ipHost)(ipHostNumber=$ipaddress))"

Then the LDAP-UserDn will be filled as you wish.  If you want a 
particular attribute then look to the ldap xlat bits.

> 2) verify user in group
>                 $mesg = $ldap->search (
>                         base   => $group,
>                         filter => 
> qq{(&(uniqueMember=uid=$username,ou=users,dc=comcast,dc=com))},
>                         attrs => ["uniqueMember"],
>                              );
> 
groupmembership_filter = "(objectclass=groupOfIpHosts)"
groupmembership_attribute = uniqueMember

Then LDAP-Group will give you want you need to check.

This of course is all in the documentation... :-/

http://wiki.freeradius.org/index.php/Rlm_ldap

Cheers

Alex

-- 
Alexander Clouter
.sigmonster says: <Marticus> There's too much blood in my caffeine system.

More information about the Freeradius-Users mailing list