LDAP Groups + SQL Authorization

Mike Loosbrock mloosbro at bnet.bethel.edu
Mon Mar 22 19:06:24 CET 2010

Excerpts from Alan DeKok's message of Mon Mar 22 11:48:40 -0500 2010:
> Mike Loosbrock wrote:
> > I thought about getting the user's groups by fetching the multi-
> > valued 'memberOf' attribute from AD and then copying it to the
> > control list via ldap.attrmap. But I don't see any way to then
> > make rlm_sql use that attribute in an authorization query (at
> > least in any sort of useful manner).
>   If it's an attribute, the SQL module can use it.  See "man unlang" for
> how attributes are addressed.
>   SELECT ... from ... where %{control:My-Attr...}

You're right, though I forgot to mention I want to support multiple group
memberships. Building upon your idea, could I do something like this:

1.) Populate the usergroup table with one record for each group I want to
    support. (This lets me prioritize the groups).

2.) Use rlm_ldap to fetch group membership via the 'memberOf' AD attribute.

3.) Use ldap.attrmap to map 'memberOf' to control:My-Groups.

3.) Use a custom perl module to build a SQL query string that simply
    returns a record for each group in control:My-Groups. In pseudo-code:
      control:My-Query =
        SELECT groupname
        FROM ${usergroup_table}
        WHERE groupname IN ( '%{My-Groups[0]', '%{My-Groups[1]}', ... )
        ORDER BY priority

4.) In rlm_sql, set group_membership_query = "%{control:My-Query}".

Are steps 3 and 4 really as dirty and wrong as they look? What kind of
performance hit am I looking at?

Mike Loosbrock
Bethel University Network Services

More information about the Freeradius-Users mailing list