LDAP Groups + SQL Authorization

Mike Loosbrock mloosbro at bnet.bethel.edu
Mon Mar 22 17:28:58 CET 2010

Hello List,

Suppose the following situation:

1.) All the users and groups are stored in AD.
2.) The AD schema cannot be extended to hold RADIUS attributes.
3.) But the RADIUS attributes can be stored in a database.

Is there a way to configure FreeRADIUS to compile a user's group
membership via rlm_ldap and then pass that group information on
to rlm_sql for group authorization?

I thought about getting the user's groups by fetching the multi-
valued 'memberOf' attribute from AD and then copying it to the
control list via ldap.attrmap. But I don't see any way to then
make rlm_sql use that attribute in an authorization query (at
least in any sort of useful manner).

One work-around is to periodically export the AD group 
membership data and rebuild the usergroup table from it. I'd
really like to avoid this approach if at all possible.

Mike Loosbrock
Bethel University Network Services

More information about the Freeradius-Users mailing list