LDAP group child domain
Menard, Yannick
Yannick.Menard at csp.qc.ca
Fri Nov 9 21:38:58 CET 2012
Hi,
I'm in an active directory domain with child domain, tata as my primary, and toto as my child domain.
I'm doing authorization based on LDAP group.
My User connect to freeradius using 802.1x and PEAP.
Using mschap and ntlm this is working great.
Now I want to give users access/or radius attribute based on their active directory group.
I was able to do this using the LDAP module and users file.
The problem I am have now is; If I have a user group with the same name in my primary domain (tata) and in my child domain (toto.tata), the freeradius does not seems to see the difference (for exemple the domain users group).
In user file my LDAP policy look like that:
DEFAULT Ldap-Group == "groupname"
What I would like to do is write it like that:
DEFAULT Ldap-Group == "cn=groupname, ou=OUofGroup, dc=toto, dc=tata"
I'm pretty sure I have to work with those config in ldap:
groupname_attribute
groupmembership_filter
groupmembership_attribute
right now they are like that:
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
If anyone got some insight on how to solve this problem, I would greatly appreciate.
Thank you,
Yann
----------------------------------------------------------------------------------------------------------
Ce courriel a été filtré par ModusGate et Webshield afin de le
certifier comme légitime et exempt de virus.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121109/47d5497d/attachment-0001.html>
More information about the Freeradius-Users
mailing list