Help with Freeradius and Google Suite LDAP
Alan DeKok
aland at deployingradius.com
Sat Dec 16 19:18:18 UTC 2023
On Dec 15, 2023, at 1:01 PM, Chris Bradley <bradleyc at bcsc.k12.in.us> wrote:
>
> Hello everyone! :)
>
> I have this working but it's not working for all of our users.
>
> We have users in our Gsuite with to different email addresses:
>
> domain.k12.in.us and students.domain.k12.in.us
>
> I can authenticate users from one or the other by modifying the ldap file
> under mods-enabled and changing the base_DN to match whichever group I want
> to authenticate.
The "base_dn" field is dynamically expanded at run-time. So you can set it as necessary. (mostly). For various security reasons, it doesn't accept commas, brackets, etc. But you can add names.
> Can anyone, at a very simple level, explain to me how to allow the
> freeradius server to authenticate users from two base_dn (domain.k12.in.us
> and students.k12.in.us) using a single server? I've been tinkering with the
> files and I'm not having any luck.
Edit raddb/dictionary, add:
ATTRIBUTE BaseDN-Group 3000 string
This defines a base dn group.
Then in mods-available/default, "authorize" section:
if (User-Name =~ /^([^.]+)\.k12\.in\.us/) {
update request {
&BaseDN-Group := "%{1}"
}
}
Then in mods-enabled/ldap, edit it to say:
base_dn = "dc=%{BaseDN-Group},dc=k12,dc=in,dc=us"
i.e. dynamically add a prefix to the base_dn, depending on the domain.
That should work. You night have to tweak the base_dn string based on your local configuration, but the above example should be a good start.
Alan DeKok.
More information about the Freeradius-Users
mailing list