Config. Help please - ldap and Active Directory

Leighton Man l.j.man at hud.ac.uk
Tue Mar 10 12:21:35 CET 2009


> Now I'm trying to return different reply attributes 
> depending on Active Directory group membership and restrict 
> which groups can authenticate. Ldap lookups against the 
> active directory root fail with operation error. 
> Reconfiguring Active Directory is not a viable option so I 
> have to specify an OU=xxxx in the query. I have configured 
> two instances of the ldap module for authorisation, one to 
> query the staff ou and the other to query the student ou. 
> Both work OK for valid queries but if the user does not exist 
> in the ou the server still authenticates the 
> username/password and grants access if valid.
> 
> You need to upgrade to 2.x and use unlang. See man unlang on 
> freeradius site. You need something like:
> 
> if Ldap-Group == staff { do something }
> elsif Ldap-Group == student { do something else} else update 
> control { to reject }
> 


I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts.
I can't do "if Ldap-Group" because there is no container in Active Directory above staff and student to query.

What I think I need is:

if ladp_staff returns "ok" {
	update reply{
        ..................
      }
elsif ladp_student returns "ok" {
	update reply{
        ..................
      }
else {
      Auth-Type := Reject
}

,where ldap_staff and ldap_student are instances of the ldap module
I simply can't get the syntax right.
Am I on the right track? If so, a little help please.

Regards,
Leighton
 




More information about the Freeradius-Users mailing list