Conditional attributes with AD

Matthew Newton mcn4 at leicester.ac.uk
Tue Mar 6 23:29:09 CET 2012


Hi,

On Tue, Mar 06, 2012 at 10:01:30PM +0000, Scott McLane Gardner wrote:
> >You CAN use LDAP as a plain database no matter what authentication
> >method you use (in this case you're simply using it for group check,
> >not for authentication).
> 
> Can you expand on how this is done? I am a freeradius newbie and don't
> really understand how all the pieces fit together.

Configure the ldap module (raddb/modules/ldap) appropriately, then
you can use unlang to check for a group, such as

authorize {

  ...

  ldap

  if (Ldap-Group == "An-Ldap-Group") {
    update reply {
      Tunnel-type = VLAN
      Tunnel-medium-type = IEEE-802
      Tunnel-Private-Group-Id = 456
    }
  }

  ...

}

For an example (with some ldap config), see the eap-tls example I
wrote recently (don't do it in that file - just look at the ldap
example).

https://github.com/alandekok/freeradius-server/blob/master/raddb/sites-available/check-eap-tls 

The example ldap settings there are for AD, although for
certificates rather than users. e.g. you probably want the filter
to be (sAMAccountName=%{User-Name}) instead, for a start.

Calling out to shell scripts may be slower, which can cause you
problems.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list