AD tokenGroups
Phil Mayers
p.mayers at imperial.ac.uk
Fri Oct 11 19:14:36 CEST 2013
All,
I recently discovered that newer versions of AD have a magic attribute
on user objects, visible via a BASE scope search on the user object,
called tokenGroups.
This attribute is a list of all the SIDs of all groups the user is a
member of, including nested groups, and taking account of disabled groups:
$ ldapsearch -h $DC -b 'CN=usern,OU=...' -s base tokenGroups|head -20
dn: CN=usern,OU=...
tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA==
$ ldapsearch -h $DC -b $B -s sub objectSid=<ldap escaped tokenGroup val>
dn: CN=Users,CN=Builtin,DC=ic,DC=ac,DC=uk
cn: Users
It strikes me that reading this (and translating SIDs to CN) might be a
useful feature to have in the LDAP module - the SIDs are basically
static so can be cached internally, so in the long run it's quick, and
handles the nesting which is nice.
It's plain LDAP, so no weird #defines needed.
If people want I'll knock together a patch (as I have working local code
from another application that I wrote that reads it). The idea would be
an ldap config item like this:
ldap {
# extract LDAP-Group values from AD magic tokenGroups
# attribute once a user has been found - handles nested
# and disabled groups
ad_tokengroups = [no|yes]
# which attribute of the group is the group "name"
ad_tokengroup_name = "cn"
}
More information about the Freeradius-Devel
mailing list