Can I get group-name from Active-directory? [sec=unclassified]

Ranner, Frank MR Frank.Ranner at
Thu Dec 20 01:26:00 CET 2007



	From: at lists.freeradius.or
[ at lists.freer] On Behalf Of Hangjun He
	Sent: Wednesday, 19 December 2007 19:32
	To: FreeRadius users mailing list
	Subject: RE: Can I get group-name from Active-directory?
	I add group parameters in rlm_ldap section. Seems freeradius not
do group search. 
	        groupname_attribute = memberOf
	        groupmembership_filter =
	Anything else I need to configure in radiusd.conf?

Yes, you need 'files' enabled in authorize section, then in raddb/users
to need to set check rules 
against your groups

# Keep managers out of technical things
DEFAULT	Ldap-Group == "Managers", Auth-Type := Reject

# network operations members have admin access to entire network, see
ldap for access details
DEFAULT Ldap-Group == "netops",

# Regular users can access network systems by being in the appropriate
ldap group
DEFAULT Ldap-Group == `%{Huntgroup-Name}`
        Access-Level := RW,
        Service-Type = Administrative-User,
        Cisco-AVPair := "shell:priv-lvl=15"

Try and keep your rules to a minimum as each Ldap-Group line generates
an ldap search. The rule most likely to succeed should be tried earlier.
The technique above is efficient because huntgroup/usergroup only needs
one test. Otherwise you would need to do:

DEFAULT	Huntgroup-Name == 'sales', Ldap-Group == 'sales'

DEFAULT	Huntgroup-Name == 'marketing', Ldap-Group == 'marketing'

Anyway, the answer is the ldap group lookups don't happen until you ask
for it, and you ask for it in 'users' by comparing Ldap-Group with

Frank Ranner

More information about the Freeradius-Users mailing list