Authorization with Active Directory

Phil Mayers p.mayers at imperial.ac.uk
Tue Jan 3 18:10:38 CET 2012 

On 03/01/12 16:55, suggestme wrote:
> Hi,
>
> I have configured freeradius server to authenticate&  authorize user with
> the supplied username and password against active directory. Till this
> stage; The user can be authenticated and authorized successfully with
> credentials provided. For this purpose; user is just authenticated and
> authorized depending upon the filter of LDAP module which I have set. My
> LDAP module filter configuration is as:
>
> filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
>
> But Now, I want to go deep on authenticating and authorizing user to allow
> or reject VPN or Wifi access, etc. For this purpose I have created extension
> attribute in Active directory and has assigned the value as "VPN" , "Wifi",
> etc..... Now my question is: How can I set the filter in Ldap module of
> FreeRadius to just allow the user belonging to VPN or wifi ? Should I need
> to add the extension attribute filter to the above mentioned filter? OR

Yes. Since the filter is dynamically expanded you can set:

  filter = "(&(extensionAttrX=%{control:Tmp-String-0})(..original..))"

...and then:

authorize {
   ...
   if (Some-Condition == Some-Value) {
     update control {
      Tmp-String-0 := VPN
     }
   }
   else {
     update control {
      Tmp-String-0 := Wifi
     }
   }
   ldap
   if (notfound) {
     reject
   }
   ...
}

> should I need to define 2 filters: the above one and another for extension
> attribute? I tried defining 2 filters separately; it didn't work.

No. 2 filters won't work - "filter" is a singleton config item of the 
"ldap" module.

>
> I know some people use the concept of "Group" for this purpose. In my case,
> I can't use Group. I just have to authenticate and authorize user just using
> Active Directory attribute.

The *other* option is to query the attribute from the LDAP directory, 
then check it in FreeRADIUS, like so:

authorize {
   ...
   ldap
   update request {
     Tmp-String-0 := 
"%{ldap:///%{Ldap-UserDN}?extensionAttrX?base?objectClass=*}"
   }
   if ((Tmp-String-0 == Wifi) && (...)) {
     ...
   }

}

Which is best will depend on your tastes and needs. The first might be 
slightly quicker, because it will only use 1 LDAP query instead of 2.

More information about the Freeradius-Users mailing list