Authenticating users on LDAP based on Group name

Jose Torres-Berrocal jetsystemservices at gmail.com
Thu Mar 26 17:56:26 CET 2015


For the group/user attribute properties I see that probably this come from
Linux.  If you can tell me the Linux command used to get that, I can search
the Web for the MS equivalent.
On Mar 26, 2015 9:54 AM, "Jose Torres-Berrocal" <jetsystemservices at gmail.com>
wrote:

> Thank you for the description of the attribute parameter. I began to
> understand it. If I end using the attribute parameter it would be "cn", and
> the value "InternetAccess" as that is the group name. In which parameter I
> should write the value and what syntax on both?
>
> In terms of the base_filter, still do not understand it, as I do not have
> a radiusprofile, but using it in my config as default. On pfsense I leave
> this parameter empty, but the generated Conf file includes it.  Even though
> I do not have a radiusprofile I successfully match my users/password
> against AD. So it seems to be ignored.
>
> As the Groups/Users attributes example you ask, I need help getting that.
> I just create the Group with the AD defaults using the MS AD GUI, and
> assign the user as a member without any fancy stuff.
> On Mar 26, 2015 8:52 AM, "Ben Humpert" <ben at an3k.de> wrote:
>
>> 2015-03-26 3:20 GMT+01:00 Jose Torres-Berrocal <
>> jetsystemservices at gmail.com>:
>> > I have setup the group in groupmembership_attribute as a naive intent to
>> > accomplish my goal.  If that is not the correct parameter I will really
>> > appreciate your help on where I should set my Group and the syntax.
>>
>> Well, the setting clearly asks for an attribute such as sAMAccountName
>> or userPassword. The name of a group is a value, the value of the
>> attribute cn. So yes, it is not the correct parameter ;)
>>
>> > On my first email I included my LDAP.conf file as generated by pfsense.
>> >
>> > I think is closed as needed because I was successful matching user/pass
>> > with AD when group membership_attribute is default, but for all Users.
>> Now
>> > I need to change it to consider the Group.
>>
>> Setting up user authentication is kind of simple. You just need to
>> match the basedn, filter and base_filter to your directory and that's
>> it. After understanding how these settings are merged into a search
>> request it is also easy to set up group authentication. I did so after
>> working with XLAT, now it's easy for me but before I had no clue at
>> all what I was doing :)
>> What helped me much was the information that unlike in databases like
>> *SQL you always want to get only ONE result in Directories, thus the
>> filter needs to be as strict as required to only find one user or
>> group. If you would find more how should Radius know which is the
>> correct entry?
>>
>> The original ldap file says the following about membership_filter
>>
>> "Filter to find group objects a user is a member of. That is, group
>> objects with attributes that identify members (the inverse of
>> membership_attribute)."
>>
>> and this about membership_attribute
>>
>> "The attribute in user objects which contain the names or DNs of
>> groups a user is a member of. Unless a conversion between group name
>> and group DN is needed, there's no requirement for the group objects
>> referenced to actually exist."
>>
>> That means that if your groups have attributes which contain the names
>> or uids of the users that are member of that group you do not use
>> membership_attribute but membership_filter. If instead your users have
>> attributes containing the names or gids of the groups the user is
>> member of then you use membership_attribute instead of
>> membership_filter.
>>
>> What is the case in your setup? Could you post an example of a group
>> and as well an user like the one below?
>>
>> # Guest, Groups, example.com
>> dn: cn=Guest,ou=Groups,dc=example,dc=com
>> objectClass: posixGroup
>> objectClass: top
>> objectClass: radiusProfile
>> cn: Guest
>> gidNumber: 17068
>> memberUid: guest
>> memberUid: tobtsc
>> memberUid: marhab
>>
>> # guest, Users, example.com
>> dn: uid=guest,ou=Users,dc=example,dc=com
>> objectClass: posixAccount
>> objectClass: top
>> objectClass: inetOrgPerson
>> objectClass: radiusProfile
>> gidNumber: 0
>> uid: guest
>> uidNumber: 18459
>> dialupAccess: Yes
>> cn: Guest
>>
>> As you can see, the attribute "memberUid" is used to store the names
>> of those users who are member of the group Guest, thus
>> membership_attribute is not in use in my setup.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>


More information about the Freeradius-Users mailing list