LDAP group authorization with MSAD
Nick Porter
nick at portercomputing.co.uk
Tue Jan 23 11:47:06 UTC 2024
On 23/01/2024 05:10, Nick Schmalenberger wrote:
> With binding as the original user though, it only seems to bind and doesn't seem to query the user object, so how can I get the user's DN to check group membership in this way and with my MSAD LDAP schema?
Call the ldap module in authorize (before you start referring to
LDAP-Group - if you configure stuff correctly using the cached group
options then you can minimise the number of LDAP lookups)
When ldap is called in authorize context it:
- binds as the admin user
- uses the "user" related module options to find the user's object
- creates the attribute &control:LDAP-UserDN containing the object's DN
- depending on the "group" related module options looks up the user's
group membership and populates the &control:LDAP-Group attribute.
--
Nick Porter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20240123/827506c4/attachment.sig>
More information about the Freeradius-Users
mailing list