Active directory groups

Gary Gatten Ggatten at waddell.com
Wed May 18 18:22:01 CEST 2011


If one has (just for example) 1000 groups, this is a lot of overhead - checking every group.  Also, what if they belong to several groups?  The last group checked would be the only one that matters - unless of course you account for that somehow in your code.

Is there a way to reference the users "primary" group - does LDAP / AD support such a concept?

Or, "fetch" their full distinguished name using just their common / logon name, such that?

 - Login name is ggatten

 - Get DN for ggatten

 - DN is ggatten.neteng.msd.waddell.com


Once I have DN I can write some code to extract the parent OU for the user, in this case "neteng".

Then, can I do something like:

Vlan-Attribute := "Ldap-group.neteng.someattribute"

I realize the syntax herein is TOTALLY wrong, I'm just looking for some validation on the concept.

G


-----Original Message-----
From: freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell.com at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: Wednesday, May 18, 2011 10:58 AM
To: freeradius-users at lists.freeradius.org
Subject: Re: Active directory groups

On 18/05/11 16:21, Doty, Seth wrote:

> So far I have the ldap component querying AD correctly and I have the
> ntlm_auth component doing the same and each individually passing from a
> radtest.  My question now revolves around passing the groups in our
> setup and if this is even possible using the protocols listed above.
> Unfortunately, we don't have the option to move away from these
> protocols in our environment.  I'm a bit of a freeradius noob so any
> help is appreciated.

I don't really understand what you want, so I'm going to guess.

You have multiple groups. You want to read those from AD via LDAP, and 
then set reply variables.

The main way to do this is to use unlang or a files module to check each 
group in turn. For example, in /etc/raddb/sites-enabled/inner-tunnel:

post-auth {
   ...
   if (Ldap-Group == staff) {
     update reply {
       Vlan-Attribute := 123
     }
   }
   elsif (Ldap-Group == students) {
     ..
   }
   else {
      ..
   }
}

Is this what you want? If not, can you explain why not?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>





More information about the Freeradius-Users mailing list