Group checking in ldap authorization
Robert Roll
Robert.Roll at utah.edu
Tue Mar 22 19:15:38 CET 2011
This does seem to work differently than I thought..
My model was something like ntlm_auth, which allows an authentication,
but one can also require membership in a group at the same time...
i.e. ntlm_auth ... --require-membership-of={SID|Name}
What I was really hoping is that I could look someone up in the
directory in the user tree, but also then require they be in a
particular group. The group would actually have a specific
replyItem attribute that would return a VLAN if the user
was part of the group...
There are other ways of accomplishing this ....
Thanks,
Robert
________________________________________
From: freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org] On Behalf Of Robert Roll [Robert.Roll at utah.edu]
Sent: Tuesday, March 22, 2011 11:21 AM
To: FreeRadius users mailing list
Subject: RE: Group checking in ldap authorization
The below is out of the .../share/doc/freeradius/rlm_ldap
Note that it shows the Ldap_Group variable being set in the users file, but
I'm assuming it should not really matter where it gets set ?
DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com"
Also, the part about the specific instance Ldap-Group is:
Also if you are using multiple ldap module instances a per instance
Ldap-Group attribute is registered and can be used. It is of the form
<instance_name>-Ldap-Group. In other words if in radiusd.conf we
configure an ldap module instance like ...
Note, I do not want to test for Ldap_Group, I want to be able to actually
set it so it is used within the ldap module ?
Thanks,
Robert
From .../share/doc/freeradius/rlm_ldap
--------------------------------------------------------------------------------------------------------
GROUP SUPPORT: The module supports searching for ldap groups by use of the
Ldap-Group attribute. As long as the module has been instanciated it can be
used to do group membership checks through other modules. For example in the
users file:
DEFAULT Ldap-Group == "disabled", Auth-Type := Reject
Reply-Message = "Sorry, you are not allowed to have dialup access"
DNs are also accepted as Ldap-Group values, i.e.:
DEFAULT Ldap-Group == "cn=disabled,dc=company,dc=com", Auth-Type := Reject
Reply-Message = "Sorry, you are not allowed to have dialup access"
Also if you are using multiple ldap module instances a per instance
Ldap-Group attribute is registered and can be used. It is of the form
<instance_name>-Ldap-Group. In other words if in radiusd.conf we
configure an ldap module instance like:
ldap myname { [...] }
we can then use the myname-Ldap-Group attribute to match user
groups. Make sure though that the ldap module is instantiated *before*
the files module so that it will have time to register the
corresponding attribute. One solution would be to add the ldap module
in the instantiate{} block in radiusd.conf
________________________________________
From: freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org [freeradius-users-bounces+robert.roll=utah.edu at lists.freeradius.org] On Behalf Of Phil Mayers [p.mayers at imperial.ac.uk]
Sent: Tuesday, March 22, 2011 8:46 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Group checking in ldap authorization
On 22/03/11 14:24, Robert Roll wrote:
> Below is what I have in my authorization section. I
>
> update control {
> ldapADut-Ldap-Group := "cn=chemVLAN,OU=Groups,OU=UofURadius,dc=ad,dc=utah,dc=edu"
> }
>
> ldapADut {
> notfound = reject
> }
Where did you get this from? It's totally wrong.
Try:
if (Ldap-Group == chemVLAN) {
}
Ldap-Group (or modname-Ldap-Group) is a "virtual" attribute, that will
perform the group membership check when you run a comparison.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list