On Oct 15, 2018, at 10:16 AM, Mathieu CLAIR <mclair@protego.net> wrote: I'm trying to route Radius requests on 2 backend Radius servers based on LDAP group membership. The purpose is to send Radius requests on the 1st server when the user is a member of an LDAP group (example CN=MyGroup,CN=Users,DC=foo,DC=bar) and to send all other requests on the 2nd Radius server.
I'm wondering if it's possible and what is the best way to do it.
Yes, it's possible. Just check for the LDAP group, and set Proxy-To-Realm.
I started to think about the folowing process :
- declare an LDAP filter like (&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use rs,DC=foo,DC=bar))
- use the filter (match not null ?) in the site configuration
Why?
Something that sounds like bellow :
my_ldap_filter = (&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use rs,DC=foo,DC=bar))
You can't just invent things in the configuration file and expect them to do what you want.
I'm not sure about the syntax of this. Of course, I faced several errors "Entry is not a reference to a module" when I start manually the freeradius server. Do I need to use the LDAP module ?
If you query an LDAP server, you need to configure the LDAP module. This is documented. Then, check the LDAP group as per the documentation. if (LDAP-Group == "foo") { update control { Proxy-To-Realm := "bar" } } Alan DeKok.