group membership on LDAP/AD servers
Stefano Cailotto [EDALab]
stefano.cailotto at edalab.it
Fri Jul 26 13:50:23 CEST 2019
So far so good... I succeeded in what I needed.
I implemented the solution also with redundancy (389ds_{1,2} and
ad_corporate_{1,2} are 2+2 servers), configuring as follows:
authorize {
if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
update control {
Auth-Type := ntlm_auth
}
}
else{
update control {
Auth-Type := 389DS
}
}
#389DS
group {
redundant {
389ds_1
389ds_2
}
}
#AD_CORPORATE {
# redundant AD_CORPORATE {
group {
redundant {
ad_corporate_1
ad_corporate_2
}
}
}
authenticate {
Auth-Type 389DS {
redundant-load-balance {
389ds_1
389ds_2
}
}
Auth-Type ntlm_auth {
ntlm_auth
}
}
I noticed that when defining the <server>-Ldap_Group as you suggested, the
<server> prefix must match the name defined for a single server, otherwise it
fails: is there a way to refer to the group of servers (something like group
389DS in authorize and the corresponding 389DS-Ldap-Group in users)?
Moreover, as my system performs a configuration check (-C) before restarting, i
get the following error:
/etc/freeradius/users.sql[1]: Parse error (check) for entry DEFAULT: Unknown
attribute "389ds_1-Ldap-Group" requires a hex string, not "accesso"
Freeradius starts and works correctly, is there a way to avoid that error?
Thanks again for your previous help.
S.
On 7/25/19 2:13 PM, Alan DeKok wrote:
> On Jul 25, 2019, at 5:29 AM, Stefano Cailotto [EDALab] <stefano.cailotto at edalab.it> wrote:
>> I'm configuring a server that is connected to a 389ds (ldap) server and to an AD server for authentication and authorization (on AD, authentication is performed through ntlm_auth and authorization, i.e.group membership checking, through ldap protocol)
> ...
>> Authorization too works flawlessly if In the authorize section I use only one kind of server (ldap1 (389ds) works for user scailotto, ad_corporate_1 works for stefano.cailotto)
> So you've set up two instances of the "ldap" module?
>
>> The main problem arises when radius tries to match group membership for the user, as it always points to AD server.
> If you have two instances of the LDAP module, you can do group checking on a per-module basis.
>
> i.e. if you have:
>
> ldap ldap1 {
> ...
> }
>
> ldap ad_corporate_1 {
> ...
> }
>
> Then you can do group checking with:
>
> ldap1-LDAP-Group == ...
>
> and
>
> ad_corporate_1-LDAP-Group == ...
>
>
>> I tried to play with group statements to force using both servers, but with no success.
>>
>> If I understand well debug info, the query is performed starting from the "files" module: the users files contains statements like
>>
>> DEFAULT Ldap-Group == "delivery-ip", Huntgroup-Name == "junos-tac"
> LDAP-Goup will just use the "ldap { ... } " module configuration.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Stefano Cailotto
---------------------------------------------------------------------------
EDALab s.r.l. - Networked Embedded Systems
Sede operativa:
Via ca Nova Zampieri, 12, 37057 San Giovanni Lupatoto (VR) - Italy
Sede legale:
Cà Vignal 2, Strada Le Grazie, 15, 37134 Verona - Italy
C.F./P.IVA/Iscr. Reg. Imprese di Verona n. 03706250234
Numero REA: VR - 358813
Capitale sociale: 10.000 euro
---------------------------------------------------------------------------
email: stefano.cailotto at edalab.it
web: http://www.edalab.it | https://www.box-io.com
skype: stefano.cailotto
tel: +39-045-257-0357
mobile: +39-391-731-0244
---------------------------------------------------------------------------
More information about the Freeradius-Users
mailing list