question about google workspace with multiple domains

Nick Porter nick at portercomputing.co.uk
Wed Mar 22 08:39:30 UTC 2023 

On 21/03/2023 23:40, Wessel Louwris via Freeradius-Users wrote:
> We managed to get it working with a ‘domains’ file module like you 
> suggested. Awesome, the config looks really nice and simple now. 
Simple configs are usually easier to understand and maintain.
> I had to do a few tricks, probably because I don’t understand FreeRADIUS & erlang enough.
>
> I noticed that my domains file changes the control, with the debug_all statement.
Yes - that is a limitation of the files module - you can only add 
attributes to the control or reply lists.
> But for LDAP I need to change the request, so I did this in my google inner tunnel file (debug file below):
>
>
>          domains  # my file module which uses a file with lines like this   domain1.com Base-DN1 := “domain", Base-DN2 := “nl” and is matched with key Stripped-User-domain
> 	#debug_all
>          if (&User-Password && !control:Auth-Type)  {
>                  update control {
>                          Auth-Type = ldap_google
>                  }
>                  update request {
>                          # the domains change the control, but for LDAP we need to change the request
>                          &Base-DN1 := control:Base-DN1
>                          &Base-DN2 := control:Base-DN2
>                  }
>
>
> It works perfectly for me, but if there’s a better way I would like to try to implement that of course..

In the LDAP module config you could refer to Base-DN1 and Base-DN2 in 
the control list e.g.

base_dn = "cn=Users,dc=%{control:Base-DN1},dc=%{control:Base-DN2}"

That would avoid having to copy the attributes to the request list.


Personally I would just have a single attribute set in the files module 
with the complete "dc=domain,dc=nl" part of the DN - that gives 
flexibility in case you end up with any domains that have three or more 
components - but that's just a design choice for you to make.


-- 
Nick Porter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230322/8a8c555a/attachment.sig>

More information about the Freeradius-Users mailing list