Multiple ldap instances - User Group Membership search not done
Alan DeKok
aland at deployingradius.com
Wed Feb 27 16:18:06 CET 2019
On Feb 27, 2019, at 9:35 AM, Florian Sus | indevis GmbH <florian.sus at indevis.de> wrote:
> Regarding the difference between admin users and customer read-only users I would like to do the following.
That makes it a lot easier.
> Admin user will authenticate with "firstname.lastname"
> Customer RO users will authenticate with their e-mail address.
>
> So for admins the realm and delimiter is not given and if I have read correctly I could use realm NULL and authenticate the realm NULL users against first ldap server.
> All other users will have a realm which is unknown and should use the DEFAULT realm which I would like to have authenticated against the second ldap server.
I would suggest using realm names where possible. Use the domain name for users who authenticate with email addresses. Use the default realm for all other users.
authorize {
...
suffix
...
if (Realm == "realm-A") {
ldap_realmA
}
else {
ldap
}
...
}
That will authenticate each set of users from the correct LDAP server.
If you want to add group checks, just do that inside the relevant if / else blocks above.
> I am very new to freeradius so I decided to have a step-by-step approach to the final configuration.
That's good.
> As my next step I would like to have configured two ldap servers (second ldap server can be dummy config for now) to see how I need to handle the configuration (eg. using <instancename>-LDAP-Group in unlang).
> I guess to have the final working config I need to use an additional virtual server (one for admin users for realm NULL and the other one for customers realm DEFAULT) and proxy.conf, but that will be in the later steps.
No, you don't need to do that. You can just use one virtual server.
> To clarify: By "Then, add a *new* LDAP module" you mean to *append* the config for second ldap server to the file .../mods-available/ldap in the form
>
> ldap ldpa2 {
> ...
> }
You can append it or put it into a different file. It's just text.
> And I leave the existing config in the very same file for the first ldap server as it is.
> For checking group membership of users from the first ldap server I need to use
>
> if (LDAP-Group == "Groupname") {
> ...
> }
>
> And for checking group memebership of users from second ldap server I need to use
>
> If (ldap2-LDAP-Group == "other-Groupname") {
> ...
> }
Yes.
> Do you need to have one ldap server instance unnamed and the other ones as named ldap servers?
You don't *need* to do it that way. But it's the simplest.
Alan DeKok/
More information about the Freeradius-Users
mailing list