question about google workspace with multiple domains
Wessel Louwris
wessel at stutit.nl
Wed Mar 22 09:10:54 UTC 2023
>> domains # my file module which uses a file with lines like this domain1.com Base-DN1 := “domain", Base-DN2 := “nl” and is matched with key Stripped-User-domain
>> #debug_all
>> if (&User-Password && !control:Auth-Type) {
>> update control {
>> Auth-Type = ldap_google
>> }
>> update request {
>> # the domains change the control, but for LDAP we need to change the request
>> &Base-DN1 := control:Base-DN1
>> &Base-DN2 := control:Base-DN2
>> }
>>
>>
>> It works perfectly for me, but if there’s a better way I would like to try to implement that of course..
>
> In the LDAP module config you could refer to Base-DN1 and Base-DN2 in the control list e.g.
>
> base_dn = "cn=Users,dc=%{control:Base-DN1},dc=%{control:Base-DN2}"
>
> That would avoid having to copy the attributes to the request list.
of course 🤦
> Personally I would just have a single attribute set in the files module with the complete "dc=domain,dc=nl" part of the DN - that gives flexibility in case you end up with any domains that have three or more components - but that's just a design choice for you to make.
Yeah, but I ran into encoding issues on the = and , in dc=domain,dc=nl . I tried to fix it by doing ${unescape:..} etc but ended up with this. Anyway, this is fine for our usecase.
Thanks again & regards, Wessel
More information about the Freeradius-Users
mailing list