AD tokenGroups
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Fri Oct 11 20:17:37 CEST 2013
On 11 Oct 2013, at 18:14, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> All,
>
> I recently discovered that newer versions of AD have a magic attribute on user objects, visible via a BASE scope search on the user object, called tokenGroups.
>
> This attribute is a list of all the SIDs of all groups the user is a member of, including nested groups, and taking account of disabled groups:
>
> $ ldapsearch -h $DC -b 'CN=usern,OU=...' -s base tokenGroups|head -20
> dn: CN=usern,OU=...
> tokenGroups:: AQIAAAAAAAUgAAAAIQIAAA==
>
> $ ldapsearch -h $DC -b $B -s sub objectSid=<ldap escaped tokenGroup val>
> dn: CN=Users,CN=Builtin,DC=ic,DC=ac,DC=uk
> cn: Users
>
> It strikes me that reading this (and translating SIDs to CN) might be a useful feature to have in the LDAP module - the SIDs are basically static so can be cached internally, so in the long run it's quick, and handles the nesting which is nice.
>
> It's plain LDAP, so no weird #defines needed.
>
> If people want I'll knock together a patch (as I have working local code from another application that I wrote that reads it). The idea would be an ldap config item like this:
This sounds useful.
I think you probably only need group.use_ad_tokengroup to enable/disable it. As this is another way of resolving a user to their group memberships (the objects are the same), you can re-use group.name_attribute.
For consistency, maybe organise it the same way as the current lookups with dynamic and cacheable functions?
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Devel
mailing list