LDAP Groups + SQL Authorization

[Mike Loosbrock]

Hello List,

Suppose the following situation:

1.) All the users and groups are stored in AD.
2.) The AD schema cannot be extended to hold RADIUS attributes.
3.) But the RADIUS attributes can be stored in a database.

Is there a way to configure FreeRADIUS to compile a user's group
membership via rlm_ldap and then pass that group information on
to rlm_sql for group authorization?

I thought about getting the user's groups by fetching the multi-
valued 'memberOf' attribute from AD and then copying it to the
control list via ldap.attrmap. But I don't see any way to then
make rlm_sql use that attribute in an authorization query (at
least in any sort of useful manner).

One work-around is to periodically export the AD group 
membership data and rebuild the usergroup table from it. I'd
really like to avoid this approach if at all possible.

-- 
Mike Loosbrock
Bethel University Network Services
651-638-6723