LDAP group child domain

Menard, Yannick Yannick.Menard at csp.qc.ca
Fri Nov 9 21:38:58 CET 2012


Hi,

I'm in an active directory domain with child domain, tata as my primary, and toto as my child domain.

I'm doing authorization based on LDAP group.

My User connect to freeradius using 802.1x and PEAP.

Using mschap and ntlm this is working great.

Now I want to give users access/or radius attribute based on their active directory group.

I was able to do this using the LDAP module and users file.

The problem I am have now is; If I have a user group with the same name in my primary domain (tata) and in my child domain (toto.tata), the freeradius does not seems to see the difference (for exemple the domain users group).

In user file my LDAP policy look like that:

DEFAULT Ldap-Group == "groupname"

What I would like to do is write it like that:

DEFAULT Ldap-Group == "cn=groupname, ou=OUofGroup, dc=toto, dc=tata"

I'm pretty sure I have to work with those config in ldap:

groupname_attribute
groupmembership_filter
groupmembership_attribute

right now they are like that:

groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf


If anyone got some insight on how to solve this problem, I would greatly appreciate.

Thank you,
Yann


----------------------------------------------------------------------------------------------------------
Ce courriel a été filtré par ModusGate et Webshield afin de le 
certifier comme légitime et exempt de virus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121109/47d5497d/attachment-0001.html>


More information about the Freeradius-Users mailing list