Can I get group-name from Active-directory? [sec=unclassified]
Ranner, Frank MR
Frank.Ranner at defence.gov.au
Thu Dec 20 01:26:00 CET 2007
________________________________
From:
freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freeradius.or
g
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freer
adius.org] On Behalf Of Hangjun He
Sent: Wednesday, 19 December 2007 19:32
To: FreeRadius users mailing list
Subject: RE: Can I get group-name from Active-directory?
[sec=unclassified]
I add group parameters in rlm_ldap section. Seems freeradius not
do group search.
groupname_attribute = memberOf
groupmembership_filter =
"(cn=%{Stripped-User-Name:-%{User-Name}})"
Anything else I need to configure in radiusd.conf?
Yes, you need 'files' enabled in authorize section, then in raddb/users
to need to set check rules
against your groups
# Keep managers out of technical things
DEFAULT Ldap-Group == "Managers", Auth-Type := Reject
# network operations members have admin access to entire network, see
ldap for access details
#
DEFAULT Ldap-Group == "netops",
User-Profile:='cn=netops,ou=profiles,dc=demo,dc=com'
# Regular users can access network systems by being in the appropriate
ldap group
#
DEFAULT Ldap-Group == `%{Huntgroup-Name}`
Access-Level := RW,
Service-Type = Administrative-User,
Cisco-AVPair := "shell:priv-lvl=15"
Try and keep your rules to a minimum as each Ldap-Group line generates
an ldap search. The rule most likely to succeed should be tried earlier.
The technique above is efficient because huntgroup/usergroup only needs
one test. Otherwise you would need to do:
DEFAULT Huntgroup-Name == 'sales', Ldap-Group == 'sales'
...
DEFAULT Huntgroup-Name == 'marketing', Ldap-Group == 'marketing'
...
Anyway, the answer is the ldap group lookups don't happen until you ask
for it, and you ask for it in 'users' by comparing Ldap-Group with
something.
Regards,
Frank Ranner
More information about the Freeradius-Users
mailing list