Active directory ldap groups

Leighton Man l.j.man at hud.ac.uk
Thu Dec 3 15:03:00 CET 2009 

Hi,

In modules/ldap, I have:

ldap ldap_staff{

Queries the staff ou in AD

}

ldap ldap_student{

Queries the student ou in AD

}

In authorise section of inner tunnel virtual server I have:

        ldap_staff
        if (ok) {
            update reply {
                Tunnel-Type = "VLAN"
                Tunnel-Medium-Type = "IEEE-802"
                Tunnel-Private-Group-Id = 141
            }
        }
        else {
          ldap_student
          if (ok) {
            update reply {
                Tunnel-Type = "VLAN"
                Tunnel-Medium-Type = "IEEE-802"
                Tunnel-Private-Group-Id = 142
            }
          }
          else {
               reject
          }
        }


All working OK and happily authorising any user who exists in Active Directory and instructs the NAS which vlan to put them into.

Now I'm trying to authorise/authenticate users in a particular AD group for console access to the NAS (cisco switch)

In default virtual server I have, after pap:

$INCLUDE local/default_policy

And in local/default_policy:

if(!control:Auth-Type && request:NAS-Port-Type == Async && Ldap-Group == ADGROUP) {
     update control {
          Auth-Type = "ntlm_auth"
     }
}

ADGROUP is replaced with whichever group has the appropriate users

If I don't have the Ldap-Group condition everything works except any valid username/password pair works.
When I add the condition, radiusd -x shows
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with filter (sAMAccountName=user)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed


First question - How do I tell rlm_ldap to query the staff ou without breaking the bit that is already working
Second question - Is there any reason I shouldn't use the "$INCLUDE local/default_policy" construct. The idea is to make the policies easy to find as they get more complex; there are several more groups of users to go yet.


Thanks in advance,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive it in error, please notify us immediately by e-mail and remove it from your system. If the content of this e-mail does not relate to the business of the University of Huddersfield, then we do not endorse it and will accept no liability.

More information about the Freeradius-Users mailing list