LDAP Group assign to vlan after AD user authentication

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jan 24 08:48:08 CET 2012

On 24 Jan 2012, at 08:23, NdK wrote:

> Il 23/01/2012 14:48, Arnaud Loonstra ha scritto:
>> But I reckon you could also do something like that in post-auth section
>> if (Ldap-Group == "cn=mygroup,ou=groups,o=radius") {
>>  update reply {
>>    Tunnel-type = VLAN
>>    Tunnel-medium-type = IEEE-802
>>    Tunnel-Private-Group-Id = 1
>>  }
>> }
> I think it could be possible to do the same using exec, a script and
> wbinfo... Just still don't know how.
> With
> for T in $(wbinfo --user-domgroups `wbinfo -n <ADusername>`) ; do
> wbinfo -s $T;
> done
> I can get all AD groups <ADusername> is into. Checking group membership
> would be even easier. But how do I set Tunnel-Private-Group-Id from an
> exec-ed script?

Just execute it using a backticks expansion, store the result in Tmp-String-0 then use regular expression matches over the result to figure out whether it contains a certain group or not. You may hit the maximum internal string size if the user is a member of lots of groups in which case the result would be silently truncated (just something to watch for).

Honestly doing it with LDAP would probably be significantly easier and faster. Exec is really quite slow...

IIRC the LDAP Module is actually smart enough to figure out whether you passed in a DN as a group or just a groupname, so in theory if you have the filters and search depth set correctly you can just use Ldap-Group == "mygroup".


Arran Cudbard-Bell
a.cudbardb at freeradius.org

Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !

More information about the Freeradius-Users mailing list