LDAP Group Membership

peter.geiser at id.unibe.ch peter.geiser at id.unibe.ch
Mon Apr 28 07:35:06 CEST 2014


:) There is no magic - it's all documented by Microsoft:

- MSDN: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
- TechNet: 
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-dir
ectory-ldap-syntax-filters.aspx

The query is really performant for what it do but on a FreeRadius Server
with heavy load you should use it in combination with the cache module.
We have this combination in production on Campus on since 6 month without
any problems.
~ 250'000 Autentications per day for 802.1x (EduRoam), VPN, ...

The complete Example:


LDAP-Module:

ldap {
	server = <your LDAP Server>
	port = 636

	identity = <service account>
	password = <service account password>

	base_dn = <your base DN>

	# We need the employeeType (student,staff,...) for EduRoam
	update {
		reply:Class := 'employeeType'
	}

	user {
		base_dn = <your user base DN>
		
		filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
		scope = 'sub'
	}

	group {
	base_dn = "dc=campus,dc=unibe,dc=ch"
		scope = 'sub'
		name_attribute = cn
		membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"

		cacheable_name = "yes"
		cacheable_dn = "no"
	}

	options {
		chase_referrals = no
		rebind = yes

		timeout = 10
		timelimit = 3
		net_timeout = 1
		idle = 60
		probes = 3
		interval = 3
		ldap_debug = 0x0028
	}

	tls {
		start_tls = no
		require_cert	= "allow"
	}


	pool {
		start = 5
		min = 1
		max = ${thread[pool].max_servers}
		spare = 3
		uses = 0
		lifetime = 0
		idle_timeout = 60
	}
}



CACHE-Module

cache {
	key = "%{User-Name}"
	# Group memberships don't change often so 1 hour is ok
	ttl = 3600
	add_stats = no
	update {
		reply:Class := &reply:Class
		control:Ldap-Group += &control:Ldap-Group
	}
}




VIRTUAL-Server 

...

   authorize {
	suffix

	update control {
		Cache-Status-Only = 'yes'
	}
	cache

	if (notfound) {
		ldap
	}

	update control {
		Cache-Status-Only := 'no'
	}
	cache

	... <your other authorization modules>
   }



Then you can use the LDAP-Groups in any post-auth section
We have policies created for that:

Example for VLAN by empoyeeType:

set_eduroam_vlan {
	foreach Cisco-Avpair {
		if("%{Foreach-Variable-0}" =~ /ssid=eduroam/i) {
			update {
				reply:Tunnel-Type := 'VLAN'
				reply:Tunnel-Medium-Type := 'IEEE-802'
			}

			switch "%{reply:Class}" {
				case 'staff' {
					update {
						reply:Filter-Id := 'staff'
						reply:Tunnel-Private-Group-Id := <STAFF VLAN>
					}
				}
				case 'student' {
					update {
						reply:Filter-Id := 'student'
						reply:Tunnel-Private-Group-Id := <STUDENT VLAN>
					}
				}
				case {
					update {
						reply:Filter-Id := 'external'
						reply:Tunnel-Private-Group-Id := <EXTERNAL VLAN>
					}
				}
			}
			break
		}
	}
}



EXAMPLE for Class by AD-Group:

set_vpn_class {
	foreach control:Ldap-Group {
		switch "%{Foreach-Variable-0}" {
			case 'AD-GROUP1' {
				update {
					reply:Class := 'Group1'
				}
				break
			}	
			case 'AD-GROUP2' {
				update {
					reply:Class := 'Group2'
				}
				break
			}
		}
	}	
}




- Peter


Am 25.04.14 12:36 schrieb "Arran Cudbard-Bell" unter
<a.cudbardb at freeradius.org>:

>
>On 25 Apr 2014, at 07:02, <peter.geiser at id.unibe.ch>
><peter.geiser at id.unibe.ch> wrote:
>
>> When you use AD then the following simple query will do all the hard
>>workŠ
>> 
>> Recursive Group Memberships
>> (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
>> 
>> Or as config snipped:
>> 
>> group {
>> 	base_dn = 'dc=foo,dc=bar'
>> 	scope = 'sub'
>> 	name_attribute = cn
>> 	membership_filter =
>> "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
>> 
>> 	cacheable_name = "yes"
>> 	cacheable_dn = "no"
>> 	}
>> 
>
>Woha, crazy. I don't even want to know what black magic that's invoking.
>
>Do you have any documentation on it? It'd be good to include a note in
>the default config.
>
>-Arran
>
>Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>FreeRADIUS Development Team
>
>FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5072 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140428/ff58079d/attachment.bin>


More information about the Freeradius-Users mailing list