Proxy requests on multiple backend Radius servers based on LDAP Group Membership

Mathieu CLAIR mclair at protego.net
Mon Oct 15 17:22:34 CEST 2018 

Hi Alan,

Thank you for your quick and efficient answer. It works like a charm with the ldap module configured.
BR,

Mathieu

-----Message d'origine-----
De : Freeradius-Users [mailto:freeradius-users-bounces+mclair=protego.net at lists.freeradius.org] De la part de Alan DeKok
Envoyé : lundi 15 octobre 2018 16:24
À : FreeRadius users mailing list
Objet : Re: Proxy requests on multiple backend Radius servers based on LDAP Group Membership


> On Oct 15, 2018, at 10:16 AM, Mathieu CLAIR <mclair at protego.net> wrote:
> I'm trying to route Radius requests on 2 backend Radius servers based 
> on LDAP group membership. The purpose is to send Radius requests on 
> the 1st server when the user is a member of an LDAP group (example
> CN=MyGroup,CN=Users,DC=foo,DC=bar) and to send all other requests on 
> the 2nd Radius server.
> 
> I'm wondering if it's possible and what is the best way to do it.

  Yes, it's possible.  Just check for the LDAP group, and set Proxy-To-Realm.

> 
> 
> I started to think about the folowing process :
> 
>                - declare an LDAP filter like 
> (&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,
> CN=Use
> rs,DC=foo,DC=bar))
> 
>                - use the filter (match not null ?) in the site 
> configuration

  Why?

> Something that sounds like bellow :      
> 
> 
> 
> my_ldap_filter =
> (&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,
> CN=Use
> rs,DC=foo,DC=bar))

  You can't just invent things in the configuration file and expect them to do what you want.

> I'm not sure about the syntax of this. Of course, I faced several 
> errors "Entry is not a reference to a module" when I start manually 
> the freeradius server. Do I need to use the LDAP module ?

  If you query an LDAP server, you need to configure the LDAP module.  This is documented.  Then, check the LDAP group as per the documentation.

	if (LDAP-Group == "foo") {
		update control {
			Proxy-To-Realm := "bar"
		}
	}

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list