LDAP Group Membership
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Apr 25 13:11:11 CEST 2014
On 25 Apr 2014, at 11:44, Fajar A. Nugraha <list at fajar.net> wrote:
> On Fri, Apr 25, 2014 at 5:36 PM, Arran Cudbard-Bell
> <a.cudbardb at freeradius.org> wrote:
>>
>> On 25 Apr 2014, at 07:02, <peter.geiser at id.unibe.ch> <peter.geiser at id.unibe.ch> wrote:
>>
>>> When you use AD then the following simple query will do all the hard workŠ
>>>
>>> Recursive Group Memberships
>>> (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
>>>
>>> Or as config snipped:
>>>
>>> group {
>>> base_dn = 'dc=foo,dc=bar'
>>> scope = 'sub'
>>> name_attribute = cn
>>> membership_filter =
>>> "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
>>>
>>> cacheable_name = "yes"
>>> cacheable_dn = "no"
>>> }
>>>
>>
>> Woha, crazy. I don't even want to know what black magic that's invoking.
>>
>> Do you have any documentation on it? It'd be good to include a note in
>> the default config.
>
> Pasting the magic numbers to Google give this link:
> http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
Again 'Woha'.
AD allows bitwise filters?! That's pretty cool.
Someone with AD want to test and see if it allows the string form?
Not sure whether they're just preprocessor macros, or whether AD
will really allow them in the text form.
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140425/8978f766/attachment.pgp>
More information about the Freeradius-Users
mailing list