MSSCHAP auth + LDAP authorizaton

Thomas Glanzmann thomas at glanzmann.de
Tue Apr 3 11:24:04 CEST 2012 

Hello Andreas,

> How to tell freeradius, that after successful MSCHAP auth against AD
> it must browse AD via LDAP and check that te username belongs to
> specified group?

I think, you need to write a script that makes sure that the user is
part of a specific group. I would do that in perl, because it gets the
job done fast. I copied and pasted such a script not so long time ago in
csharp:

using System.Collections.Generic;
using System.DirectoryServices;

namespace de.glanzmann.ActiveDirectoryGroupMembership
{
       public class ActiveDirectoryGroupMembership
       {
               string ad_connection = "LDAP://ad.gmvl.de/DC=directory,DC=gmvl,DC=de";
               string ad_username = "Administrator";
               string ad_password = "password";

               string RemoveADGroup(string name) {
                       string[] ary = name.Split(new char[] { '\\' });
                       return ary[ary.Length - 1];
               }

               string[] GetRolesForUser(string userName) {
                       userName = RemoveADGroup(userName);
                       return GetUserRoles(userName);
               }

               string[] GetUserRoles(string userName) {
                       DirectoryEntry obEntry = new DirectoryEntry(ad_connection, ad_username, ad_password);
                       DirectorySearcher srch = new DirectorySearcher(obEntry, "(sAMAccountName=" + userName + ")");
                       SearchResult res = srch.FindOne();

                       Dictionary<string, string> dictionary = new Dictionary<string, string>();

                       if (res != null) {
                               DirectoryEntry obUser = new DirectoryEntry(res.Path, ad_username, ad_password);

                               string rootPath = ad_connection;
                               rootPath = rootPath.Substring(0, rootPath.LastIndexOf(@"/") + 1);

                               GetMemberships(obUser, dictionary, rootPath);
                       }
                       string[] ary = new string[dictionary.Count];
                       dictionary.Values.CopyTo(ary, 0);
                       return ary;
               }

               void GetMemberships(DirectoryEntry entry, Dictionary<string, string> dictionary, string rootPath) {
                       List<DirectoryEntry> childrenToCheck = new List<DirectoryEntry>();
                       PropertyValueCollection children = entry.Properties["memberOf"];
                       foreach (string childDN in children) {
                               if (! dictionary.ContainsKey(childDN)) {
                                       DirectoryEntry obGpEntry = new DirectoryEntry(rootPath + childDN, ad_username, ad_password);
                                       string groupName = obGpEntry.Properties["sAMAccountName"].Value.ToString();
                                       dictionary.Add(childDN, groupName);
                                       childrenToCheck.Add(obGpEntry);
                               }
                       }
                       foreach (DirectoryEntry child in childrenToCheck) {
                               GetMemberships(child, dictionary, rootPath);
                       }
               }

               public bool IsUserInRole(string username, string roleName) {
                       string[] ary = GetRolesForUser(username);
                       foreach (string s in ary) {
                               if (roleName.ToLower() == s.ToLower()) {
                                       return true;
                               }
                       }
                       return false;
               }
       }
}

You can copy the logic and put it into perl.

Source: http://www.codeproject.com/Articles/36670/Active-Directory-Forms-Authentication-User-IsInRol

Cheers,
        Thomas

More information about the Freeradius-Users mailing list