LDAP OU based authentication

Caines, Max Max.Caines at wlv.ac.uk
Fri Nov 2 10:41:54 CET 2018


I think you want Ldap-UserDN, which contains the DN of the object returned by the LDAP lookup. You need to do a regex match against the trailing part of the string

Regards

Max

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+max.caines=wlv.ac.uk at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 30 October 2018 15:49
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: LDAP OU based authentication

On Oct 30, 2018, at 10:27 AM, Tom Yard <tomyyard at gmail.com> wrote:
> But now, the AD has changed and it hasn't groups anymore. So I have to do
> an OU based authentication for the users:

  That's unfortunate.  Groups really are a lot simpler.

> Basedn: OU=technology,OU=mexico,DC=company,DC=com
> 
> I've read that DN's are also accepted as LDAP-Group values, so now I'm
> using this condition:
> 
> If (LDAP-Group == "OU=technology,OU=mexico,DC=company,DC=com")...
> 
> but it doesn't work.

  Because that OU isn't an LDAP group.

> 
> Please how can I authenticate users in accordance with their OU and not
> their groups?

  You need to run a custom LDAP query, and see if it returns any results:

	if ("%{ldap:... query OU and User}") {
		... matched
	}
	else {
		... it didn't match...
	}

    What that query is depends on your LDAP config.  I'm not enough of an expert in LDAP to say more.

   Alan DeKok.


-
List info/subscribe/unsubscribe? See https://url6.mailanyone.net/v1/?m=1gHWGq-0007i7-5U&i=57e1b682&c=MDKJayVUCk5O7QA8wpcxqXmNTj5RZOdlfP0rqTcqwgTXQBIP-TIoySg_IYM5BKR7JtuITJ0BJPvx4JV89awDEOnFzO7QOQ2mFkN1MkrJhmPvoh2DJTCfkTj873sJtEKT5AcxMDNQVF2nt56M2wngpzgiOUO0ZrrL8WFUKYwNS9XINyBpmTU9ko3voaq0Xx86EVAImE3AmiS2bC5ckis9jWtodrhSmMSiM2HgQQ94v2p_9zLVgngwsHHh1hC2gISY
------------------------------------
This email has been scanned for spam & viruses. If you believe this email should have been stopped by our filters, click the following link to report it (https://portal.mailanyone.net/index.html#/outer/reportspam?token=dXNlcj1tYXguY2FpbmVzQHdsdi5hYy51azt0cz0xNTQwOTE0NTcyO3V1aWQ9NUJEODdEOENEMkQyMUIxMkY5MDEzOEIyQkFENkI4NDM7dG9rZW49OWIzZjE2NTkxYjFmNWIxOGY0M2VkOTNhY2MyYjY2ZjViYmU4MzY0Yjs%3D).



More information about the Freeradius-Users mailing list