Add LDAP groups as extra attributes
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Mar 13 20:52:18 CET 2013
On 13 Mar 2013, at 15:45, Robin Helgelin <lobbin at gmail.com> wrote:
> On Wed, Mar 13, 2013 at 4:11 PM, Arran Cudbard-Bell
> <a.cudbardb at freeradius.org> wrote:
>>> Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS attribute, and add the RADIUS attribute to raddb/dictionary (taking care to note the comments about numbering i.e. pick a number from 3000-3999). Don't re-use an existing attribute - many of the xxGroup attribute have "magic" behaviour hooks.
>>
>> Phili is correct, but this will only work for something like AD, where you have memberOf attributes which link a user account to a group.
>>
>> This also doesn't really work if you want a group name, and the membership attributes specify a group DN, though it'd probably be pretty easy to figure out the group name later (you could even do it within unlang if you're using FR 3.0).
>
> Thanks, we're using the memberof overlay, and that might be working.
>
> First problem is that I need to rewrite the output from ldap to
> something the radius-client finds useful. But there are radius modules
> for rewriting things right?
Um, yes, but you can probably just use unlang.
>
> Next problem seems to be that freeradius ignores when ldap is
> returning more than one group, am I correct?
Ignores what?
If you're talking about an xlat query, then yes, it'll only provide the first result.
-Arran
More information about the Freeradius-Users
mailing list