MSSCHAP auth + LDAP authorizaton

Matthew Newton mcn4 at leicester.ac.uk
Tue Apr 3 12:01:27 CEST 2012


On Tue, Apr 03, 2012 at 11:24:04AM +0200, Thomas Glanzmann wrote:
> > How to tell freeradius, that after successful MSCHAP auth against AD
> > it must browse AD via LDAP and check that te username belongs to
> > specified group?
> 
> I think, you need to write a script that makes sure that the user is
> part of a specific group. I would do that in perl, because it gets the

Why do in perl what you can do in FR directly? That will just
slow things down.

The LDAP module can be configured for group lookups - look about
half way down modules/ldap, you'll find the group settings. Check
radiusd -X to see what it's doing, as usual.

Use unlang in your inner-tunnel authorize section to check the
ldap group, something along the lines of (very untested):

if (!(Ldap-group == 'cn=group,dc=example,dc=com')) {
  reject
}

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list