avoiding ldap access in authorize

Fred fred.maison at gmail.com
Thu Sep 29 12:03:39 CEST 2011


Hi all,
When using ldap with freeradius, radiusGroupName attributes can be
retrived during execution of ldap module.

	groupname_attribute = "radiusGroupName"
	groupmembership_filter =
"(&(uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusProfile))"
	groupmembership_attribute = "radiusGroupName"


On debug, we can see :


  [ldap.nsslab] userPassword -> Password-With-Header ==
"{SSHA}MLRh2CQVi/UeANla4BjafYcB47FlMzRt"
  [ldap.nsslab] sambaNtPassword -> NT-Password ==
0x3841414442424130303546464439454435354434374332433332434641303433
  [ldap.nsslab] sambaLmPassword -> LM-Password ==
0x3238353536413643394433433936434244373437433744423436454232453738
  [ldap.nsslab] radiusGroupName -> Ldap-Group == "AdminRW"
  [ldap.nsslab] radiusGroupName -> Ldap-Group == "wifi"
  [ldap.nsslab] radiusGroupName -> Ldap-Group == "wifipartners"
  [ldap.nsslab] radiusGroupName -> Ldap-Group == "VpnSSL"

If I want to test those values, i used to to something like :
if ( Ldap-Group == "AdminRW ) { do something }

This makes a new ldap access to be done by the server for an array
attribute which has already been retrieved by server.
Is there any other way to check those (already retrieved values)
without making a new ldap call because of Ldap-Group == "xxx"
conditional ?

Best regards,
Fred



More information about the Freeradius-Users mailing list