LDAP Groups + SQL Authorization

Peter Lambrechtsen plambrechtsen at gmail.com
Mon Mar 22 19:53:38 CET 2010

On Tue, Mar 23, 2010 at 7:06 AM, Mike Loosbrock <mloosbro at bnet.bethel.edu>wrote:

> Excerpts from Alan DeKok's message of Mon Mar 22 11:48:40 -0500 2010:
> > Mike Loosbrock wrote:
> >
> > > I thought about getting the user's groups by fetching the multi-
> > > valued 'memberOf' attribute from AD and then copying it to the
> > > control list via ldap.attrmap. But I don't see any way to then
> > > make rlm_sql use that attribute in an authorization query (at
> > > least in any sort of useful manner).
> >
> >   If it's an attribute, the SQL module can use it.  See "man unlang" for
> > how attributes are addressed.
> >
> >   SELECT ... from ... where %{control:My-Attr...}
> You're right, though I forgot to mention I want to support multiple group
> memberships. Building upon your idea, could I do something like this:
> 1.) Populate the usergroup table with one record for each group I want to
>    support. (This lets me prioritize the groups).
> 2.) Use rlm_ldap to fetch group membership via the 'memberOf' AD attribute.
> 3.) Use ldap.attrmap to map 'memberOf' to control:My-Groups.
> 3.) Use a custom perl module to build a SQL query string that simply
>    returns a record for each group in control:My-Groups. In pseudo-code:
>      control:My-Query =
>        SELECT groupname
>        FROM ${usergroup_table}
>        WHERE groupname IN ( '%{My-Groups[0]', '%{My-Groups[1]}', ... )
>        ORDER BY priority
> 4.) In rlm_sql, set group_membership_query = "%{control:My-Query}".
> Are steps 3 and 4 really as dirty and wrong as they look? What kind of
> performance hit am I looking at?

This is the way we do it.


Then everything is driven out of LDAP (eDirectory, but AD should work just
the same) without extending the schema.

And then to do the "security" you use the postauth_users to say which LDAP
group you need to be to allow you to access which Hostgroup and get what
attributes in the Access-Accept response.  With the last line in the
postauth_users being "access-reject" since it hadn't matched any of the
groups beforehand.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100323/87dd5c56/attachment.html>

More information about the Freeradius-Users mailing list