using multiple LDAP queries for authorization

Arran Cudbard-Bell a.cudbardb at
Fri Dec 19 01:21:26 CET 2014

> On 18 Dec 2014, at 18:16, Coy Hile <coy.hile at> wrote:
> Hi all,
> I admit this is quite a complicated first question, but I'm setting up FR in a lab to try to replace an existing production deployment of a commercial alternative.  Currently, we can permission a user for access to some network device via the following tuples (in order of less specificity): (user, device) (user, group of devices), (group of users, device) (group of users, group of devices).  So we say, effectively in pseudocode:
> For authorization:
> Check if a user with uid=%{User-Name} exists and return the user's group
> if exists(acl(user, device)) {
>     based on the assigned access profile, query LDAP for the approopriate VSAs
> } else if exists(acl(user, group of devices)) {
>     based on the assigned access profile, query LDAP for the approopriate VSAs
> } else if exists(acl(usergroup, device)) {
>     ....
> } else if exists(acl(usergroup,group of devices)) {
>     ....
> } else
>     return reject
> For authentication:
>   Kerberos
> The authentication part is trivial, as is the first check under authorization; the existing documentation explains how to do that sort of check.  I can see from the unlang manpage how to call out to one or the other modules.  Is what I'm trying to do something one can do with rlm_ldap, or is it something that would be better done with rlm_python.  (Yes, LDAP in python sucks rocks through straws, so I'm trying to avoid that if possible.

It's not clear what you mean by device.

Do you mean infrastructure devices, as in restricting a user so they can only
log in from specific locations, or devices as in laptops, phones, workstations?

Were the ACLs represented in LDAP by the previous vendor or is LDAP a new 

If there's an existing schema please provide it, then i'll be able to tell you
if it's possible with the current rlm_ldap module in v3.0.x.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list