group membership on LDAP/AD servers
Alan DeKok
aland at deployingradius.com
Thu Jul 25 14:13:41 CEST 2019
On Jul 25, 2019, at 5:29 AM, Stefano Cailotto [EDALab] <stefano.cailotto at edalab.it> wrote:
> I'm configuring a server that is connected to a 389ds (ldap) server and to an AD server for authentication and authorization (on AD, authentication is performed through ntlm_auth and authorization, i.e.group membership checking, through ldap protocol)
...
> Authorization too works flawlessly if In the authorize section I use only one kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for stefano.cailotto)
So you've set up two instances of the "ldap" module?
> The main problem arises when radius tries to match group membership for the user, as it always points to AD server.
If you have two instances of the LDAP module, you can do group checking on a per-module basis.
i.e. if you have:
ldap ldap1 {
...
}
ldap ad_corporate_1 {
...
}
Then you can do group checking with:
ldap1-LDAP-Group == ...
and
ad_corporate_1-LDAP-Group == ...
> I tried to play with group statements to force using both servers, but with no success.
>
> If I understand well debug info, the query is performed starting from the "files" module: the users files contains statements like
>
> DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac"
LDAP-Goup will just use the "ldap { ... } " module configuration.
Alan DeKok.
More information about the Freeradius-Users
mailing list