AD group membership
mus3 at lehigh.edu
Tue Jan 14 18:26:11 CET 2020
Using this as a guide:
I configured the ldap module for my AD server. However, I was unsure
regarding the post-auth section in the guide. I ended up adding a
"function" to the policy.d folder (not sure if that's a debian-only folder
or not) and referencing that function as the first line in the
authorize section of my enabled site. I recognize there are many ways to
get to the same result, but I thought I'd ask the experts, is there a
reason to use the post-auth section rather than the authorize section?
Seems like the group check naturally fits into "is this user authorized to
use this service".
On Mon, Jan 13, 2020 at 5:19 PM Alan DeKok <aland at deployingradius.com>
> On Jan 13, 2020, at 5:02 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> > I have successfully configured freeradius to authenticate against AD
> > the winbind socket (not the ntlm_auth command).
> That's good.
> > I find myself needing to
> > also authorize based on AD group membership, more precisely based on
> > negative group membership (We maintain a "deny wireless" group). It
> > like I could use the LDAP module and test for the group there, but I
> > noticed that the ntlm_auth command supports some notion of group checking
> > through the '--require-membership-of=STRING' option.
> That requires membership in a particular group. It does *not* do
> negative group checking.
> > It follows that
> > winbind has access to AD groups and could be used to check. I haven't
> > able to find any guidance on the freeradius.org documentation site, so I
> > was wondering if there is a preferred method for AD-based group checking
> > when using winbind.
> The --require-membership-of option is *only* good if you need to require
> membership of one, and only one group. If you need to check multiple
> groups, it doesn't work. If you need to do negative group checking, it
> doesn't work.
> Alan DeKok.
> List info/subscribe/unsubscribe? See
Senior Network Engineer
munroe at lehigh.edu
More information about the Freeradius-Users