LDAP Groups + SQL Authorization
Alan DeKok
aland at deployingradius.com
Mon Mar 22 17:48:40 CET 2010
Mike Loosbrock wrote:
> 1.) All the users and groups are stored in AD.
> 2.) The AD schema cannot be extended to hold RADIUS attributes.
Ah, the joys of Active Directory administration.
> 3.) But the RADIUS attributes can be stored in a database.
>
> Is there a way to configure FreeRADIUS to compile a user's group
> membership via rlm_ldap and then pass that group information on
> to rlm_sql for group authorization?
Hmm.. that may be awkward. It's not really set up to do that right now.
> I thought about getting the user's groups by fetching the multi-
> valued 'memberOf' attribute from AD and then copying it to the
> control list via ldap.attrmap. But I don't see any way to then
> make rlm_sql use that attribute in an authorization query (at
> least in any sort of useful manner).
If it's an attribute, the SQL module can use it. See "man unlang" for
how attributes are addressed.
SELECT ... from ... where %{control:My-Attr...}
> One work-around is to periodically export the AD group
> membership data and rebuild the usergroup table from it. I'd
> really like to avoid this approach if at all possible.
Yup.
Alan DeKok.
More information about the Freeradius-Users
mailing list