FreeRadius - Pass LDAP Group (Attribute?) to RSSO?
Alan DeKok
aland at deployingradius.com
Wed Dec 13 19:25:58 CET 2017
On Dec 13, 2017, at 12:50 PM, Matthew Stavert <matthew.stavert at nlsd.ab.ca> wrote:
>
>> *What, exactly do you need to do? Write that down, first. e.g.*
> I need to identify the group the user is in once they are authenticated,
> and then pass the users's group to the Dynamic RSSO group on the Fortigate
> using the Class attribute I believe.
> A picture is worth 1000 words...or something like that:
The list strips pictures. Too many people were posting PNGs of screen captures showing debug logs in a terminal window.
> [image: Inline image 2]
> The user names are being passed from freeradius, but the user's are not
> there.
Where is "there"?
> To pass the user's LDAP group, I believe I need to identify which group
> they are a part of in freeradius, and put that in CLASS.
That's what I said...
>
>> * If they're a member of LDAP group X, send class Y.*
>
>> etc.
> Yes, this is what I need to do. If member of student, send Class=students,
> If member of admins send class=admins, if member of staff, send class=staff.
> Would I have to identify some of this in the LDAP module, or is free radius
> Version 3, smart enough to identity what group the user is a part of in
> LDAP?
It doesn't read your mind. You need to configure it to do what you want.
And the documentation helps here...
> If it is, I imagine I can just move to implementing in unlang. If
> not...can you provide me with some guidance where I would start identifying
> or how I would identify what gorup the user was a part of in free radius,
> and what file that would go in?
http://wiki.freeradius.org
Type "ldap group" into the search bar. Read the documentation.
>> *Then... implement that in unlang.*
> What conf file and area would be the best place to put the unlang if
> statements, IE:
All of this is documented.
>> *And upgrade to v3. It will be infinitely easier to do this (and debug
> it), than in 2.1.1.*
>
> I will be upgrading to version 3 today, and getting this all going on the
> newest server.
That's good.
Alan DeKok.
More information about the Freeradius-Users
mailing list