LDAP group authorization with MSAD

Nick Porter nick at portercomputing.co.uk
Tue Jan 23 11:47:06 UTC 2024

On 23/01/2024 05:10, Nick Schmalenberger wrote:
> With binding as the original user though, it only seems to bind and doesn't seem to query the user object, so how can I get the user's DN to check group membership in this way and with my MSAD LDAP schema?
Call the ldap module in authorize (before you start referring to 
LDAP-Group - if you configure stuff correctly using the cached group 
options then you can minimise the number of LDAP lookups)

When ldap is called in authorize context it:

  - binds as the admin user
  - uses the "user" related module options to find the user's object
  - creates the attribute &control:LDAP-UserDN containing the object's DN
  - depending on the "group" related module options looks up the user's 
group membership and populates the &control:LDAP-Group attribute.


Nick Porter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20240123/827506c4/attachment.sig>

More information about the Freeradius-Users mailing list