Tricky problem with ldap and primary groups in AD
Phil Mayers
p.mayers at imperial.ac.uk
Thu Aug 2 15:47:05 CEST 2012
On 02/08/12 14:18, Franks Andy (RLZ) IT Systems Engineer wrote:
> >Correct. You can however check them in "unlang"
> >
> >authorize {
> > ...
> > ldap
> > if (Ldap-Group == mygroup) {
> > # they're a member via memberof
> > ...
> > }
> > elif (control:Ldap-PrimaryGroupId == 1234) {
> > # assuming 1234 is the RID for "mygroup"s SID
> > # they're a member via primaryGroupId
> > ...
> > }
> > else {
> > reject
> > }
> > ...
> >}
>
> That's fantastic - this example is really helpful. I'd been playing
> around with putting an entry into the dictionary file for a custom
> attribute then using ldap.attrmap to map it up to the primaryGroupId -
> didn't realise you could just reference Ldap-PrimaryGroupId "out of the
Sorry, I've confused matters a bit.
The above example assumed you have defined and populated a custom
attribute. There is no built-in Ldap-PrimaryGroupId.
Since the "ldap.attrmap" restricts you to check (a.k.a. control) and
reply items, you would need something like this:
raddb/dictionary:
ATTRIBUTE Ldap-PrimaryGroupId 3010 integer
raddb/ldap.attrmap:
checkItem Ldap-PrimaryGroupId primaryGroupId
...but it sounds like you're familiar with that technique.
> then it's quite new to me. I can see Ldap-Group and
> Ldap-UserDn but not Ldap-PrimaryGroupId. Maybe it's inferred that I use
> an ldap.attrmap entry?
No, as above it's not built-in. You need to define & map it yourself.
Sorry for the confusion.
More information about the Freeradius-Users
mailing list