group membership on LDAP/AD servers
Alan DeKok
aland at deployingradius.com
Fri Jul 26 13:55:45 CEST 2019
On Jul 26, 2019, at 7:50 AM, Stefano Cailotto [EDALab] <stefano.cailotto at edalab.it> wrote:
>
> So far so good... I succeeded in what I needed.
>
> I implemented the solution also with redundancy (389ds_{1,2} and ad_corporate_{1,2} are 2+2 servers), configuring as follows:
>
> authorize {
>
> if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
> update control {
> Auth-Type := ntlm_auth
> }
> }
> else{
> update control {
> Auth-Type := 389DS
> }
> }
> #389DS
> group {
> redundant {
> 389ds_1
> 389ds_2
> }
> }
>
> #AD_CORPORATE {
> # redundant AD_CORPORATE {
> group {
> redundant {
> ad_corporate_1
> ad_corporate_2
> }
> }
I don't think that's right. You're *always* checking *both* LDAP servers. You should instead check 389DS only for the 389DS users. e.g.
if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
update control {
Auth-Type := ntlm_auth
}
#AD_CORPORATE {
# redundant AD_CORPORATE {
group {
redundant {
ad_corporate_1
ad_corporate_2
}
}
}
else{
update control {
Auth-Type := 389DS
}
#389DS
group {
redundant {
389ds_1
389ds_2
}
}
}
}
> I noticed that when defining the <server>-Ldap_Group as you suggested, the <server> prefix must match the name defined for a single server, otherwise it fails:
Yes.
> is there a way to refer to the group of servers (something like group 389DS in authorize and the corresponding 389DS-Ldap-Group in users)?
Unfortunately, no.
> Moreover, as my system performs a configuration check (-C) before restarting, i get the following error:
>
> /etc/freeradius/users.sql[1]: Parse error (check) for entry DEFAULT: Unknown attribute "389ds_1-Ldap-Group" requires a hex string, not "accesso"
>
> Freeradius starts and works correctly, is there a way to avoid that error?
Probably just upgrade. You're likely running an old version of the server.
Alan DeKok.
More information about the Freeradius-Users
mailing list