Want to include LDAP group information in Access-Accept message

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Sep 9 17:46:14 CEST 2014


On 9 Sep 2014, at 11:35, Stefan Paetow <Stefan.Paetow at ja.net> wrote:

>> I am wondering if I can set up FreeRadius to send back the LDAP groups that a user 
>> is a member of. Authentication with LDAP should use the username. 
> 
> Yes.
> 
>> Is it possible to get FreeRadius to query the LDAP server to find the groups associated 
>> with that username, then send this group list back to the connecting user in the Access-
>> Accept message? 
> 
> Yes.
> 
>> Will this require a plugin? 
> 
> No. You can do this in the inner-tunnel (if you use EAP) and return the attribute(s) to the outer reply. You can either use an ldap xlat to retrieve information in the post-auth section (use ldapsearch to get your query right, then plug it into an ldap xlat (i.e. Attribute := "%{ldap:<ldapquery here>}"), or you can set up the ldap module right from the start, and it'll retrieve everything in one go. :-)

That's only possible if you have memberOf attributes contained within the userObject.

If you have group objects with lists of members, then you'll need version 3.0.x, and use the cacheable_name/cacheable_dn toggles.

cacheable_name will store the names of the groups, and cacheable_dn will store the DNs of the groups.

In either case, using v3.0.x LDAP and the cacheable_* code, is more efficient. If you are using memberOf attributes, it will
combine the lookup for group info with retrieving other attributes from the user object, so everything is done as one search.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140909/db115019/attachment.pgp>


More information about the Freeradius-Users mailing list