LDAP Groups + SQL Authorization
Peter Lambrechtsen
plambrechtsen at gmail.com
Mon Mar 22 19:53:38 CET 2010
On Tue, Mar 23, 2010 at 7:06 AM, Mike Loosbrock <mloosbro at bnet.bethel.edu>wrote:
> Excerpts from Alan DeKok's message of Mon Mar 22 11:48:40 -0500 2010:
> > Mike Loosbrock wrote:
> >
> > > I thought about getting the user's groups by fetching the multi-
> > > valued 'memberOf' attribute from AD and then copying it to the
> > > control list via ldap.attrmap. But I don't see any way to then
> > > make rlm_sql use that attribute in an authorization query (at
> > > least in any sort of useful manner).
> >
> > If it's an attribute, the SQL module can use it. See "man unlang" for
> > how attributes are addressed.
> >
> > SELECT ... from ... where %{control:My-Attr...}
>
> You're right, though I forgot to mention I want to support multiple group
> memberships. Building upon your idea, could I do something like this:
>
> 1.) Populate the usergroup table with one record for each group I want to
> support. (This lets me prioritize the groups).
>
> 2.) Use rlm_ldap to fetch group membership via the 'memberOf' AD attribute.
>
> 3.) Use ldap.attrmap to map 'memberOf' to control:My-Groups.
>
> 3.) Use a custom perl module to build a SQL query string that simply
> returns a record for each group in control:My-Groups. In pseudo-code:
> control:My-Query =
> SELECT groupname
> FROM ${usergroup_table}
> WHERE groupname IN ( '%{My-Groups[0]', '%{My-Groups[1]}', ... )
> ORDER BY priority
>
> 4.) In rlm_sql, set group_membership_query = "%{control:My-Query}".
>
> Are steps 3 and 4 really as dirty and wrong as they look? What kind of
> performance hit am I looking at?
>
This is the way we do it.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html
Then everything is driven out of LDAP (eDirectory, but AD should work just
the same) without extending the schema.
And then to do the "security" you use the postauth_users to say which LDAP
group you need to be to allow you to access which Hostgroup and get what
attributes in the Access-Accept response. With the last line in the
postauth_users being "access-reject" since it hadn't matched any of the
groups beforehand.
Easy!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100323/87dd5c56/attachment.html>
More information about the Freeradius-Users
mailing list