question about google workspace with multiple domains

Wessel Louwris wessel at
Wed Mar 22 09:10:54 UTC 2023

>>         domains  # my file module which uses a file with lines like this Base-DN1 := “domain", Base-DN2 := “nl” and is matched with key Stripped-User-domain
>> 	#debug_all
>>         if (&User-Password && !control:Auth-Type)  {
>>                 update control {
>>                         Auth-Type = ldap_google
>>                 }
>>                 update request {
>>                         # the domains change the control, but for LDAP we need to change the request
>>                         &Base-DN1 := control:Base-DN1
>>                         &Base-DN2 := control:Base-DN2
>>                 }
>> It works perfectly for me, but if there’s a better way I would like to try to implement that of course..
> In the LDAP module config you could refer to Base-DN1 and Base-DN2 in the control list e.g.
> base_dn = "cn=Users,dc=%{control:Base-DN1},dc=%{control:Base-DN2}"
> That would avoid having to copy the attributes to the request list.

of course 🤦

> Personally I would just have a single attribute set in the files module with the complete "dc=domain,dc=nl" part of the DN - that gives flexibility in case you end up with any domains that have three or more components - but that's just a design choice for you to make.

Yeah, but I ran into encoding issues on the = and , in dc=domain,dc=nl . I tried to fix it by doing ${unescape:..} etc but ended up with this. Anyway, this is fine for our usecase.

Thanks again & regards, Wessel

More information about the Freeradius-Users mailing list