Active directory groups

Phil Mayers p.mayers at imperial.ac.uk
Wed May 18 17:58:04 CEST 2011


On 18/05/11 16:21, Doty, Seth wrote:

> So far I have the ldap component querying AD correctly and I have the
> ntlm_auth component doing the same and each individually passing from a
> radtest.  My question now revolves around passing the groups in our
> setup and if this is even possible using the protocols listed above.
> Unfortunately, we don't have the option to move away from these
> protocols in our environment.  I'm a bit of a freeradius noob so any
> help is appreciated.

I don't really understand what you want, so I'm going to guess.

You have multiple groups. You want to read those from AD via LDAP, and 
then set reply variables.

The main way to do this is to use unlang or a files module to check each 
group in turn. For example, in /etc/raddb/sites-enabled/inner-tunnel:

post-auth {
   ...
   if (Ldap-Group == staff) {
     update reply {
       Vlan-Attribute := 123
     }
   }
   elsif (Ldap-Group == students) {
     ..
   }
   else {
      ..
   }
}

Is this what you want? If not, can you explain why not?



More information about the Freeradius-Users mailing list