LDAP group authorization with MSAD
Nick Schmalenberger
nick at schmalenberger.us
Tue Jan 23 15:33:26 UTC 2024
On Tue, Jan 23, 2024 at 11:47:06AM +0000, Nick Porter wrote:
>
> On 23/01/2024 05:10, Nick Schmalenberger wrote:
> > With binding as the original user though, it only seems to bind and doesn't seem to query the user object, so how can I get the user's DN to check group membership in this way and with my MSAD LDAP schema?
> Call the ldap module in authorize (before you start referring to LDAP-Group
> - if you configure stuff correctly using the cached group options then you
> can minimise the number of LDAP lookups)
>
> When ldap is called in authorize context it:
>
> - binds as the admin user
> - uses the "user" related module options to find the user's object
> - creates the attribute &control:LDAP-UserDN containing the object's DN
> - depending on the "group" related module options looks up the user's group
> membership and populates the &control:LDAP-Group attribute.
>
> --
>
> Nick Porter
>
Thank you! You put me on the right track, and with doing %{User-Name}@example.com in the user filter, I didn't need to override LDAP-UserDN at all :)
I can bind as user with the actual DN and use it in the group check too. Either of these work:
membership_filter = "(member=%{control:LDAP-UserDn})"
membership_attribute = 'memberOf'
Is it better to use memberOf because freeradius already has the user object and doesn't need to make another query? In packet capturing it looks like it requests at least the matching group object too.
Are these just different in performance, or useful in some different situations? Is one more readable or idiomatic in freeradius? Anything else I should consider?
-Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20240123/0f4a4123/attachment.sig>
More information about the Freeradius-Users
mailing list