LDAP group authorization with MSAD

Nick Porter nick at portercomputing.co.uk
Tue Jan 23 16:45:46 UTC 2024 

On 23/01/2024 15:33, Nick Schmalenberger wrote:
> Thank you! You put me on the right track, and with doing 
> %{User-Name}@example.com in the user filter, I didn't need to override 
> LDAP-UserDN at all :)
Great
> I can bind as user with the actual DN and use it in the group check too. Either of these work:
>      membership_filter = "(member=%{control:LDAP-UserDn})"
>      membership_attribute = 'memberOf'
>
> Is it better to use memberOf because freeradius already has the user object and doesn't need to make another query? In packet capturing it looks like it requests at least the matching group object too.
>
> Are these just different in performance, or useful in some different situations? Is one more readable or idiomatic in freeradius? Anything else I should consider?

The challenge with LDAP is that each directory is configured 
differently.  E.g. some directories have a memberOf attribute and others 
don't - meaning different approaches have to be taken to resolving group 
membership.

Typically the aim should be to minimise the number of queries being run 
(which you can see from running FreeRADIUS in debug mode).

However, you also need to consider what indexes are set up to ensure 
that the queries are efficient.


Given a memberOf attribute which is part of the user object, I would 
usually choose that option, and then make sure that the "cache" option 
matches the format that the data in that attribute is presented.  This 
is because in that case, the group membership is returned in the same 
LDAP query as finding the user object.

I.e. if the memberOf attribute returns DNs, then use cacheable_dn = 
'yes', and do all your work using those DN formats for group names.

If memberOf returns DNs and you set cacheable_name = 'yes' then further 
queries will be run to map the group DNs to their names.


In addition, if you are using LDAP binds to authenticate, if you have 
not already called the ldap module in authorize, then the first thing 
that FreeRADIUS will do is lookup the user's DN.

This typically means the most efficient thing to do is to call ldap in 
authorize to retrieve the user DN and group membership, before calling 
it again in authenticate to bind as the user.


It's all about understanding how data is returned from the directory, 
and adapting your policy to match that (if possible).


As an aside, with AD, it can also be beneficial to use the Global 
Catalog rather than the standard LDAP port - if all the data you require 
is available in the Global Catalog.  Using the standard LDAP port can 
result in redirects, depending on the base DN that searches are 
performed in.

-- 
Nick Porter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20240123/5a5cf907/attachment.sig>

More information about the Freeradius-Users mailing list