Can I get group-name from Active-directory? [sec=unclassified]

Ranner, Frank MR Frank.Ranner at defence.gov.au
Thu Dec 20 01:26:00 CET 2007


 



________________________________

	From:
freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freeradius.or
g
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freer
adius.org] On Behalf Of Hangjun He
	Sent: Wednesday, 19 December 2007 19:32
	To: FreeRadius users mailing list
	Subject: RE: Can I get group-name from Active-directory?
[sec=unclassified]
	
	
	I add group parameters in rlm_ldap section. Seems freeradius not
do group search. 
	        groupname_attribute = memberOf
	        groupmembership_filter =
"(cn=%{Stripped-User-Name:-%{User-Name}})"
	 
	Anything else I need to configure in radiusd.conf?
	 

Yes, you need 'files' enabled in authorize section, then in raddb/users
to need to set check rules 
against your groups


# Keep managers out of technical things
DEFAULT	Ldap-Group == "Managers", Auth-Type := Reject

# network operations members have admin access to entire network, see
ldap for access details
#
DEFAULT Ldap-Group == "netops",
User-Profile:='cn=netops,ou=profiles,dc=demo,dc=com'

# Regular users can access network systems by being in the appropriate
ldap group
#
DEFAULT Ldap-Group == `%{Huntgroup-Name}`
        Access-Level := RW,
        Service-Type = Administrative-User,
        Cisco-AVPair := "shell:priv-lvl=15"


Try and keep your rules to a minimum as each Ldap-Group line generates
an ldap search. The rule most likely to succeed should be tried earlier.
The technique above is efficient because huntgroup/usergroup only needs
one test. Otherwise you would need to do:

DEFAULT	Huntgroup-Name == 'sales', Ldap-Group == 'sales'
	...

DEFAULT	Huntgroup-Name == 'marketing', Ldap-Group == 'marketing'
	...

Anyway, the answer is the ldap group lookups don't happen until you ask
for it, and you ask for it in 'users' by comparing Ldap-Group with
something.

Regards,
Frank Ranner




More information about the Freeradius-Users mailing list