LDAP Groups + SQL Authorization

Alan DeKok aland at deployingradius.com
Mon Mar 22 17:48:40 CET 2010

Mike Loosbrock wrote:
> 1.) All the users and groups are stored in AD.
> 2.) The AD schema cannot be extended to hold RADIUS attributes.

  Ah, the joys of Active Directory administration.

> 3.) But the RADIUS attributes can be stored in a database.
> Is there a way to configure FreeRADIUS to compile a user's group
> membership via rlm_ldap and then pass that group information on
> to rlm_sql for group authorization?

  Hmm.. that may be awkward.  It's not really set up to do that right now.

> I thought about getting the user's groups by fetching the multi-
> valued 'memberOf' attribute from AD and then copying it to the
> control list via ldap.attrmap. But I don't see any way to then
> make rlm_sql use that attribute in an authorization query (at
> least in any sort of useful manner).

  If it's an attribute, the SQL module can use it.  See "man unlang" for
how attributes are addressed.

  SELECT ... from ... where %{control:My-Attr...}

> One work-around is to periodically export the AD group 
> membership data and rebuild the usergroup table from it. I'd
> really like to avoid this approach if at all possible.


  Alan DeKok.

More information about the Freeradius-Users mailing list