FreeRADIUS + Cisco + Active Directory

Mathieu Simon (Lists) matsimon.lists at simweb.ch
Wed Jan 6 13:33:57 CET 2016


Am 06.01.2016 um 13:20 schrieb Phil Mayers:
> On 06/01/16 11:28, Matthew Newton wrote:
> 
>> Exactly. What's wrong with LDAP here?
> 
> Nested groups can be a pain.

They are often, I'd agree. I don't know how much performance penalty
there is for these AD specific queries but I recently got it ported from
a 2.x config I had. The initial thing back then I found was on a blog
from a Nasser Heidari*. The AD in question is by no means large for what
I can tell, thus: YMMV.

This is what used to work for me on 2.1/2.2 in modules/ldap:

groupmembership_filter =
"(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"

In 3.0 mods-available/ldap I had to split it slightly to:

filter = '(objectCategory=group)'
membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"

Now if this is totally wrong, I'm happy to learn how its done better.
:-) For what I can tell so far all nested memberships were retrieved
when I tried to trick it.

I was actually surprised how much I could easily port from a 2.x config
to 3.0 without much effort, great job! (I know I'm late to game of
FreeRADIUS 3.0). I actually like the changes that were made to the ldap
module so far.

-- Mathieu

*
https://linax.wordpress.com/2012/07/17/freeradius-check-nested-ldap-group-membership/



More information about the Freeradius-Users mailing list