group membership on LDAP/AD servers

Alan DeKok aland at deployingradius.com
Fri Jul 26 13:55:45 CEST 2019


On Jul 26, 2019, at 7:50 AM, Stefano Cailotto [EDALab] <stefano.cailotto at edalab.it> wrote:
> 
> So far so good... I succeeded in what I needed.
> 
> I implemented the solution also with redundancy (389ds_{1,2} and ad_corporate_{1,2} are 2+2 servers), configuring as follows:
> 
> authorize {
> 
>     if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
>         update control {
>             Auth-Type := ntlm_auth
>         }
>     }
>     else{
>         update control {
>             Auth-Type := 389DS
>         }
>     }
>     #389DS
>     group {
>         redundant {
>             389ds_1
>             389ds_2
>         }
>     }
> 
>     #AD_CORPORATE {
>     #    redundant AD_CORPORATE {
>     group {
>         redundant {
>             ad_corporate_1
>             ad_corporate_2
>         }
>     }

  I don't think that's right.  You're *always* checking *both* LDAP servers.   You should instead check 389DS only for the 389DS users.  e.g.

    if ( "%{User-Name}" =~ /[a-z]+[\.]{1}[a-z]+/) {
        update control {
            Auth-Type := ntlm_auth
        }

    #AD_CORPORATE {
    #    redundant AD_CORPORATE {
    group {
        redundant {
            ad_corporate_1
            ad_corporate_2
        }
    }
    }
    else{
        update control {
            Auth-Type := 389DS
        }

    #389DS
    group {
        redundant {
            389ds_1
            389ds_2
        }
    }
    }
}

> I noticed that when defining the <server>-Ldap_Group as you suggested, the <server> prefix must match the name defined for a single server, otherwise it fails:

  Yes.

> is there a way to refer to the group of servers (something like group 389DS in authorize and the corresponding 389DS-Ldap-Group in users)?

  Unfortunately, no.

> Moreover, as my system performs a configuration check (-C) before restarting, i get the following error:
> 
> /etc/freeradius/users.sql[1]: Parse error (check) for entry DEFAULT: Unknown attribute "389ds_1-Ldap-Group" requires a hex string, not "accesso"
> 
> Freeradius starts and works correctly, is there a way to avoid that error?

  Probably just upgrade.  You're likely running an old version of the server.

  Alan DeKok.




More information about the Freeradius-Users mailing list