Conditional attributes with AD
Matthew Newton
mcn4 at leicester.ac.uk
Tue Mar 6 23:29:09 CET 2012
Hi,
On Tue, Mar 06, 2012 at 10:01:30PM +0000, Scott McLane Gardner wrote:
> >You CAN use LDAP as a plain database no matter what authentication
> >method you use (in this case you're simply using it for group check,
> >not for authentication).
>
> Can you expand on how this is done? I am a freeradius newbie and don't
> really understand how all the pieces fit together.
Configure the ldap module (raddb/modules/ldap) appropriately, then
you can use unlang to check for a group, such as
authorize {
...
ldap
if (Ldap-Group == "An-Ldap-Group") {
update reply {
Tunnel-type = VLAN
Tunnel-medium-type = IEEE-802
Tunnel-Private-Group-Id = 456
}
}
...
}
For an example (with some ldap config), see the eap-tls example I
wrote recently (don't do it in that file - just look at the ldap
example).
https://github.com/alandekok/freeradius-server/blob/master/raddb/sites-available/check-eap-tls
The example ldap settings there are for AD, although for
certificates rather than users. e.g. you probably want the filter
to be (sAMAccountName=%{User-Name}) instead, for a start.
Calling out to shell scripts may be slower, which can cause you
problems.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list