LDAP for Authorization

Arran Cudbard-Bell a.cudbardb at freeradius.org
Sat May 10 15:20:37 CEST 2014

On 9 May 2014, at 14:33, Walter Reynolds <waltr at UMICH.EDU> wrote:

> I would like to use LDAP to be able to authorize a user so if there have a certain attribute I can return a radius AVP with a VLAN ID in the access-accept.  This would be used for allowing access to licensed library resources.  However, I am not sure if I can do this the way my LDAP stuff is set up.
> The attribute that has the data I need is multi-valued.
> 	• StudentAA, StudentDBRN, and StudentFLNT (continuing and incoming students regardless of enrollment; includes detached study);
> 	• EnrolledStudentAA, EnrolledStudentDBRN, EnrolledStudentFLNT (enrolled in at least one credit hour for ""current"" term; next term information is used during gap between terms)
> 	• AlumniAA, AlumniDBRN, AlumniFLNT (any person who has completed at least one semester in a degree-granting program)
> 	• FacultyAA, FacultyDBRN, FacultyFLNT (defined as academic, instructional, and research appointments; includes emeritus faculty)
> 	• RegularStaffAA, RegularStaffDBRN, RegularStaffFLNT (current appointment with a status of active, suspended, short-work break, leave, or paid leave);
> 	• TemporaryStaffAA, TemporaryStaffDBRN, TemporaryStaffFLNT (current appointment with a status of active, suspended, short-work break, leave, or paid leave)
> 	• Retiree (retired from any U-Mcampus, regardless of other appoints that may still be active)
> 	• SponsoredAffiliateAA, SponsoredAffiliateDBRN, SponsoredAffiliateFLNT (has at least one departmental sponsorship). 
> However, only 5 of them (StudentAA, EnrolledStudentAA, FacultyAA, RegularStaffAA and TemoraryStaffAA) should get the radius AVP and be allowed access.  However, when I query I get something like the following
> ldapsearch -h ldap.umich.edu -ZZ -z0 -x -D <cut> -b ou=people,dc=umich,dc=edu -LLL -s sub uniqueid=<username> umichinstroles
> dn: uid=royboy,ou=People,dc=umich,dc=edu
> umichinstroles: RegularStaffAA
> umichinstroles: AlumniFLNT
> So that is not realyy a group membership.
> Is this something I will be able to do?  If not natively can folks mention other options/solutions?

Add a RADIUS attribute (in etc/raddb/dictionary) for each of the LDAP attributes you want to check.

Map the attributes from LDAP to the RADIUS attributes using the ldap module.

Write your custom policy in unlang, referencing the RADIUS attributes you created. 

See man unlang for a description of the policy language.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140510/67db749b/attachment.pgp>

More information about the Freeradius-Users mailing list