On Jan 7, 2021, at 8:22 PM, stray electron <strayedelectron@gmail.com> wrote:
How can I check an LDAP group membership (or attribute) in an EAP-TLS setup?
Check it once, and cache the result. Or, check it in post-auth.
I try to set up a Freeradius 3.0 where the client auth is done with EAP-TLS but also checks if the client is in the LDAP (and/or check some user attribute in the LDAP). If the client has a valid certificate but is not in the LDAP then he should be rejected.
It's simpler to just revoke the certificate. But whatever.
Since the auth is already done by EAP-TLS certificates no user bind to the LDAP should be needed, besides I don't have the user password anyway. But I have an LDAP account configured for the Radius server so it can access the user data.
So far EAP-TLS works fine, I suppose the 10-times repetition of the authorize part is due to the EAP messages exchanged with the client, or am I wrong?
It's because you made it do the LDAP checks in the "authorize" section, i.e. before the user is authenticated.
Problem is though, that the LDAP search is done 10-times too for each client request. I think this would lead to a huge load of our LDAP server.
I tried to put the ldap stanza into other places like post-auth, but then it tries to write to the LDAP, or in authenticate where the user password is required.
You can do: post-auth { ... ldap.authorize ... } And run the "authorize" method of the "ldap" module. Alan DeKok.