MS AD, LDAP works -> how to check for group membership?
Dusty Doris
freeradius at mail.doris.cc
Mon Jul 18 16:11:14 CEST 2005
On Thu, 14 Jul 2005, Shelbyville.Unwired wrote:
> I would like to check group membership before authenticating user
> login requests.
>
> I currently have radiusd.conf setup such that all users can login.
> However after spending several days reading man pages, and searching
> these archives I haven't found the key that unlocks my problem.
>
> radiusd.conf
>
> # <snip>
>
> ldap {
> server = "xx.xx.xx.xx" # ad server address
> identity = "cn=some_user,cn=users,dc=domain,dc=com" # bind account
> password = "xxx" # bind account password
> basedn = "cn=users,dc=domain,dc=com" # base dn
> filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" # uid
> start_tls = no # nope
> dictionary_mapping = ${raddbdir}/ldap.attrmap # default
> ldap_connections_number = 5 # why not
> password_attribute = userPassword # no need to explain
>
> # ok this is where things get real fuzzy - I've read rlm_ldap several times...
>
> timeout = 4
> timelimit = 3
> net_timeout = 1
> }
>
> Users file remains untouched.
>
> Specifically what else do I need to if a user is a member of XYZ_group
> and if so authenticate them.
>
> Any help would be greatly appreciated. TYIA.
>
You will define where to search for group memberships in that section
above. You left out the configs above. Look for groupname_attribute,
groupmembership_filter and groupmembership_attribute. Configure those for
how you have groups setup.
Then in users file you can define to check for group membership.
eg:
DEFAULT Huntgroup-Name == dial, Ldap-Group == dial
DEFAULT Huntgroup-Name == adsl, Ldap-Group == adsl
DEFAULT Auth-Type := Reject
That says must have dial group if the request comes from a NAS in the dial
huntgroup, must have adsl from an adsl nas, otherwise reject.
More information about the Freeradius-Users
mailing list