Help with Freeradius and Google Suite LDAP

Fri Dec 15 18:48:25 UTC 2023

Hi,

We have been struggling with this also.  We have about 20 domains in our google workspace so we needed some kind of (text) database. 
This mailing list gave me a lot of hints and we managed to solve it with below configuration

It can probably be done easier without this Base-DN1+Base-DN2 variables but I had troubles parsing so this worked for us.

file: mods-enabled/domains
files domains {
        # Search for files in a subdirectory of mods-config which
        # matches this instance of the files module.
        moddir = ${modconfdir}/${.:instance}

        # The default key attribute to use for matches.  The content
        # of this attribute is used to match the "name" of the
        # entry.
        key = "%{Stripped-User-domain}"

        filename = ${moddir}/domains
}

file: mods-config/domains/domains
dom1.com	Base-DN1 := "dom1", Base-DN2 := "com"
...
dom2.nl	Base-DN1 := "dom2", Base-DN2 := "nl"

file: sites-available/google-ldap-auth
...
        domains
		# debug_all
        if (&User-Password && !control:Auth-Type)  {

                update control {
                        Auth-Type = ldap_google
                }
                update request {
                        # the domains change the control, but for LDAP we need to change the request
                        &Base-DN1 := control:Base-DN1
                        &Base-DN2 := control:Base-DN2
                }

Maybe you can use this for inspiration.

Good luck & regards, Wessel

> On 15 Dec 2023, at 19:01, Chris Bradley <bradleyc at bcsc.k12.in.us> wrote:
> 
> Hello everyone! :)
> 
> I have this working but it's not working for all of our users.
> 
> We have users in our Gsuite with to different email addresses:
> 
> domain.k12.in.us and students.domain.k12.in.us
> 
> I can authenticate users from one or the other by modifying the ldap file
> under mods-enabled and changing the base_DN to match whichever group I want
> to authenticate.
> 
> Can anyone, at a very simple level, explain to me how to allow the
> freeradius server to authenticate users from two base_dn (domain.k12.in.us
> and students.k12.in.us) using a single server? I've been tinkering with the
> files and I'm not having any luck.
> 
> Thanks!
> 
> -- 
> 
> This message originated from Bartholomew Consolidated School Corporation, 
> Columbus, Indiana.
> 
> 
> The message and any attachments may be confidential or 
> privileged and are intended only for the individual or entity identified 
> above as the addressee. This email should not be disseminated, distributed, 
> or copied. If you are not the addressee, or if this message has been 
> addressed to you in error, you are not authorized to read, copy or 
> distribute this message or any attachments; and we ask that you please 
> delete it and notify the sender by return e-mail. Delivery of this message 
> and any attachments to any person other than the intended recipient(s) is 
> not intended in any way to waive confidentiality or a privilege. All 
> personal messages express views only of the sender, which are not to be 
> attributed to Bartholomew Consolidated School Corporation, and may not be 
> copied or distributed without this statement. 
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html