LDAP Group Membership
peter.geiser at id.unibe.ch
peter.geiser at id.unibe.ch
Mon Apr 28 07:35:06 CEST 2014
:) There is no magic - it's all documented by Microsoft:
- MSDN: http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx
- TechNet:
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-dir
ectory-ldap-syntax-filters.aspx
The query is really performant for what it do but on a FreeRadius Server
with heavy load you should use it in combination with the cache module.
We have this combination in production on Campus on since 6 month without
any problems.
~ 250'000 Autentications per day for 802.1x (EduRoam), VPN, ...
The complete Example:
LDAP-Module:
ldap {
server = <your LDAP Server>
port = 636
identity = <service account>
password = <service account password>
base_dn = <your base DN>
# We need the employeeType (student,staff,...) for EduRoam
update {
reply:Class := 'employeeType'
}
user {
base_dn = <your user base DN>
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
scope = 'sub'
}
group {
base_dn = "dc=campus,dc=unibe,dc=ch"
scope = 'sub'
name_attribute = cn
membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
cacheable_name = "yes"
cacheable_dn = "no"
}
options {
chase_referrals = no
rebind = yes
timeout = 10
timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
ldap_debug = 0x0028
}
tls {
start_tls = no
require_cert = "allow"
}
pool {
start = 5
min = 1
max = ${thread[pool].max_servers}
spare = 3
uses = 0
lifetime = 0
idle_timeout = 60
}
}
CACHE-Module
cache {
key = "%{User-Name}"
# Group memberships don't change often so 1 hour is ok
ttl = 3600
add_stats = no
update {
reply:Class := &reply:Class
control:Ldap-Group += &control:Ldap-Group
}
}
VIRTUAL-Server
...
authorize {
suffix
update control {
Cache-Status-Only = 'yes'
}
cache
if (notfound) {
ldap
}
update control {
Cache-Status-Only := 'no'
}
cache
... <your other authorization modules>
}
Then you can use the LDAP-Groups in any post-auth section
We have policies created for that:
Example for VLAN by empoyeeType:
set_eduroam_vlan {
foreach Cisco-Avpair {
if("%{Foreach-Variable-0}" =~ /ssid=eduroam/i) {
update {
reply:Tunnel-Type := 'VLAN'
reply:Tunnel-Medium-Type := 'IEEE-802'
}
switch "%{reply:Class}" {
case 'staff' {
update {
reply:Filter-Id := 'staff'
reply:Tunnel-Private-Group-Id := <STAFF VLAN>
}
}
case 'student' {
update {
reply:Filter-Id := 'student'
reply:Tunnel-Private-Group-Id := <STUDENT VLAN>
}
}
case {
update {
reply:Filter-Id := 'external'
reply:Tunnel-Private-Group-Id := <EXTERNAL VLAN>
}
}
}
break
}
}
}
EXAMPLE for Class by AD-Group:
set_vpn_class {
foreach control:Ldap-Group {
switch "%{Foreach-Variable-0}" {
case 'AD-GROUP1' {
update {
reply:Class := 'Group1'
}
break
}
case 'AD-GROUP2' {
update {
reply:Class := 'Group2'
}
break
}
}
}
}
- Peter
Am 25.04.14 12:36 schrieb "Arran Cudbard-Bell" unter
<a.cudbardb at freeradius.org>:
>
>On 25 Apr 2014, at 07:02, <peter.geiser at id.unibe.ch>
><peter.geiser at id.unibe.ch> wrote:
>
>> When you use AD then the following simple query will do all the hard
>>workŠ
>>
>> Recursive Group Memberships
>> (member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})
>>
>> Or as config snipped:
>>
>> group {
>> base_dn = 'dc=foo,dc=bar'
>> scope = 'sub'
>> name_attribute = cn
>> membership_filter =
>> "(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
>>
>> cacheable_name = "yes"
>> cacheable_dn = "no"
>> }
>>
>
>Woha, crazy. I don't even want to know what black magic that's invoking.
>
>Do you have any documentation on it? It'd be good to include a note in
>the default config.
>
>-Arran
>
>Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>FreeRADIUS Development Team
>
>FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5072 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140428/ff58079d/attachment.bin>
More information about the Freeradius-Users
mailing list