Proxy requests on multiple backend Radius servers based on LDAP Group Membership
Alan DeKok
aland at deployingradius.com
Mon Oct 15 16:24:15 CEST 2018
> On Oct 15, 2018, at 10:16 AM, Mathieu CLAIR <mclair at protego.net> wrote:
> I'm trying to route Radius requests on 2 backend Radius servers based on
> LDAP group membership. The purpose is to send Radius requests on the 1st
> server when the user is a member of an LDAP group (example
> CN=MyGroup,CN=Users,DC=foo,DC=bar) and to send all other requests on the 2nd
> Radius server.
>
> I'm wondering if it's possible and what is the best way to do it.
Yes, it's possible. Just check for the LDAP group, and set Proxy-To-Realm.
>
>
> I started to think about the folowing process :
>
> - declare an LDAP filter like
> (&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
> rs,DC=foo,DC=bar))
>
> - use the filter (match not null ?) in the site
> configuration
Why?
> Something that sounds like bellow :
>
>
>
> my_ldap_filter =
> (&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
> rs,DC=foo,DC=bar))
You can't just invent things in the configuration file and expect them to do what you want.
> I'm not sure about the syntax of this. Of course, I faced several errors
> "Entry is not a reference to a module" when I start manually the freeradius
> server. Do I need to use the LDAP module ?
If you query an LDAP server, you need to configure the LDAP module. This is documented. Then, check the LDAP group as per the documentation.
if (LDAP-Group == "foo") {
update control {
Proxy-To-Realm := "bar"
}
}
Alan DeKok.
More information about the Freeradius-Users
mailing list