Authorization with Active Directory

suggestme suggest_me at hotmail.com
Thu Jan 26 15:41:48 CET 2012


Hi,

I had implemented the idea given by Phil for authorizing the users of Active
directory to use VPN or Wifi or whatever for which they are for depending
upon the value of Active directory's "extensionAttribute10" attribute as:

## /usr/local/etc/raddb/modules/ldap:

filter =
"(&(extensionAttribute10=%{control:Tmp-String-0})(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))"

I have used extensionAttribute10 for storing values as VPN,wifi depending
upon the users.

## /usr/local/etc/raddb/sites-enabled/default

## I tried using Called-Station-Id to check the condition; which is ok for
now for testing ; but which I guess is not feasible if there are thousands
of NAS devices. I don't know what would be best test condition for this.

authorize { 
   ... 
   if (Called-Station-Id == .......) { 
     update control { 
      Tmp-String-0 := VPN 
     } 
   } 
   else { 
     update control { 
      Tmp-String-0 := Wifi 
     } 
   } 
   ldap 
   if (notfound) { 
     reject 
   } 
   ... 
} 

And also, I have implemented the idea of returning filter-id for the users
of Active directory looking at "OU" of domain as:

ldap

if (control:Ldap-UserDN =~ /^[^,]+,OU=([^,]+),/)
 update control {
   Tmp-String-1 := "%{1}"
}

And returning the value of Filter-Id through users file as:

DEFAULT
        Filter-Id := "Enterasys:version=1:policy=%{control:Tmp-String-1}"


But now I am facing the problem that I can't use more than one If conditions
inside unlang to test the conditions inside Ldap module. (If I am correct on
my understanding)

And, also using the filter defined as above inside Ldap module some user of
active directory which doesn't have extensionAttribute10 might get rejected.
These users should get default acceptance; but should be granted to access
VPN, or wifi if value is assigned to them on extensionAttribute10. If don't
have attribute defined still get accepted as default user.
If I just use:  filter =
"(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
This allows all the users in Active Directory get accepted (doesn't reject
if there is no extensionAttribute10 also); But how to get the goal of
granting the authorization for VPN, wifi users accordingly if I use this?

Is there any easy way to check condition for the particular attribute of
active directory? And I don't know where to check this, If I am already
using If conditional statement for returning the Filter-Id inside Ldap
module.

In my understanding; people use to check this type of condition for the
users that are defined in "users" file as;

bob         User-Password == "testing", Connection-Type := "VPN"

But I am not sure how to check like this eventhough If I define in
ldap.attrmap as:

checkItem       Connection-Type                    extensionAttribute10


I don't know; whether I am confused or I am not getting how to achieve this.

Your valuable idea would be really appreciated.


Thanks,

--
View this message in context: http://freeradius.1045715.n5.nabble.com/Authorization-with-Active-Directory-tp5117364p5433010.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list