[EXT] Fetching memberOf attribute
Brian Julin
BJulin at clarku.edu
Thu May 15 13:02:23 UTC 2025
Matvey Teplov via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Hi Guys,
> I cannot get the ldap module to fetch a memberOf attribute from AD - it is not putting it
> as a filter parameter in the LDAP search packet. I need this list later to search through for
> port-authentication phase through the groups in session-state:LDAP-Group[*]'s to identify
> which ones are present and return a proper VSA. The LDAP configuration is as follows:
We use this, because it searches the group membership hierarchy so nested groups work:
user {
...
filter = "(&(objectClass=user)(sAMAccountName=%{Stripped-User-Name}))"
scope = 'sub'
}
group {
...
scope = 'sub'
filter = '(objectCategory=group)'
membership_filter = "(member:1.2.840.113556.1.4.1941:=%{&control:Ldap-UserDN})"
...
}
You can thank Microsoft for the ugly OID, as far as I know it has no textual alias.
then:
if (&ldap_ad-LDAP-Group[*] == "whatever")
...that statement will be true if any one of the users groups, including groups inherited from other groups, is "whatever", no need for a for loop unless you need to do something fancy.
Do note that if you have a lot of groups in the OU the search will not be especially efficient, it will even rummage through your printers and whatnot. We made a new OU for the top level RADIUS groups and then could put groups from our other OUs inside those groups to reduce the scope of the search to just users.
More information about the Freeradius-Users
mailing list