How to use LDAP Group attributes in post-auth section?
Alan DeKok
aland at deployingradius.com
Wed Jan 8 19:14:04 CET 2020
On Jan 8, 2020, at 12:26 PM, uj2.hahn at posteo.de wrote:
>
> Hi!
> I use freeradius 3.0.17 with LDAP module for a school.
> There are different LDAP groups (e.g. students and teacher).
> WLAN login time should be limited but differently for different groups.
> In freeradius I already extracted the LDAP group the user belongs to and I know
> how to limit the logintime (Current-Time == "wk1602-0800") or so.
> But of course I don't want to hardcode the group specific time strings.
> Idea is to define group attributes in LDAP which contain these strings.
>
> - Is it possible to map _group _specific attributes into LDAP module of freeradius,
> may be some code snippets as template....
You can do an LDAP query, off the time limits are in LDAP.
> - so far I use OpenLDAP as training vehicle. Here I can add a radius scheme. But
> final solution has to be (existing) Active Directory. Is above method usable there
> as well?
Sure, if you extend the schema.
> - May be there is a completely different solution out there I'm not aware of.
> Any hints are very welcome!
TBH, the time limit format is very RADIUS specific. It's best to put the rules into FreeRADIUS:
if (LDAP-Group == "students") {
update reply {
Login-Time := "wk0900-1600"
}
}
Alan DeKok.
More information about the Freeradius-Users
mailing list