FreeRADIUS + Cisco + Active Directory
Mathieu Simon (Lists)
matsimon.lists at simweb.ch
Wed Jan 6 13:33:57 CET 2016
Am 06.01.2016 um 13:20 schrieb Phil Mayers:
> On 06/01/16 11:28, Matthew Newton wrote:
>
>> Exactly. What's wrong with LDAP here?
>
> Nested groups can be a pain.
They are often, I'd agree. I don't know how much performance penalty
there is for these AD specific queries but I recently got it ported from
a 2.x config I had. The initial thing back then I found was on a blog
from a Nasser Heidari*. The AD in question is by no means large for what
I can tell, thus: YMMV.
This is what used to work for me on 2.1/2.2 in modules/ldap:
groupmembership_filter =
"(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"
In 3.0 mods-available/ldap I had to split it slightly to:
filter = '(objectCategory=group)'
membership_filter =
"(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn})"
Now if this is totally wrong, I'm happy to learn how its done better.
:-) For what I can tell so far all nested memberships were retrieved
when I tried to trick it.
I was actually surprised how much I could easily port from a 2.x config
to 3.0 without much effort, great job! (I know I'm late to game of
FreeRADIUS 3.0). I actually like the changes that were made to the ldap
module so far.
-- Mathieu
*
https://linax.wordpress.com/2012/07/17/freeradius-check-nested-ldap-group-membership/
More information about the Freeradius-Users
mailing list