AD group membership

Munroe Sollog mus3 at lehigh.edu
Tue Jan 14 18:26:11 CET 2020 

Using this as a guide:

https://wiki.freeradius.org/modules/Rlm_ldap#group-support

I configured the ldap module for my AD server.  However, I was unsure
regarding the post-auth section in the guide.  I ended up adding a
"function" to the policy.d folder (not sure if that's a debian-only folder
or not) and referencing that function as the first line in the
authorize section of my enabled site.  I recognize there are many ways to
get to the same result, but I thought I'd ask the experts, is there a
reason to use the post-auth section rather than the authorize section?
Seems like the group check naturally fits into "is this user authorized to
use this service".

On Mon, Jan 13, 2020 at 5:19 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On Jan 13, 2020, at 5:02 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> >
> > I have successfully configured freeradius to authenticate against AD
> using
> > the winbind socket (not the ntlm_auth command).
>
>   That's good.
>
> >  I find myself needing to
> > also authorize based on AD group membership, more precisely based on
> > negative group membership (We maintain a "deny wireless" group).  It
> seems
> > like I could use the LDAP module and test for the group there, but I
> > noticed that the ntlm_auth command supports some notion of group checking
> > through the '--require-membership-of=STRING' option.
>
>   That requires membership in a particular group.  It does *not* do
> negative group checking.
>
> >  It follows that
> > winbind has access to AD groups and could be used to check.  I haven't
> been
> > able to find any guidance on the freeradius.org documentation site, so I
> > was wondering if there is a preferred method for AD-based group checking
> > when using winbind.
>
>   The --require-membership-of option is *only* good if you need to require
> membership of one, and only one group.  If you need to check multiple
> groups, it doesn't work.  If you need to do negative group checking, it
> doesn't work.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu

More information about the Freeradius-Users mailing list