Discussion:
LDAP OU based authentication
Tom Yard
2018-10-30 14:27:39 UTC
Permalink
Dear people, I have a Freeradius 2.2.5 authenticating against Active
Directory (LDAP).

Past week, the AD contained groups and users, and in freeradius I used this
option OK and I could authenticate users belonging to WiFi group with the
corresponding User-Name:

If (LDAP-Group == "WiFi") ...

But now, the AD has changed and it hasn't groups anymore. So I have to do
an OU based authentication for the users:

Basedn: OU=technology,OU=mexico,DC=company,DC=com

I've read that DN's are also accepted as LDAP-Group values, so now I'm
using this condition:

If (LDAP-Group == "OU=technology,OU=mexico,DC=company,DC=com")...

but it doesn't work.

Please how can I authenticate users in accordance with their OU and not
their groups?

Thanking in advance, regards.

Tommy
-
List info/subscribe/unsubs
Alan DeKok
2018-10-30 15:48:53 UTC
Permalink
Post by Tom Yard
But now, the AD has changed and it hasn't groups anymore. So I have to do
That's unfortunate. Groups really are a lot simpler.
Post by Tom Yard
Basedn: OU=technology,OU=mexico,DC=company,DC=com
I've read that DN's are also accepted as LDAP-Group values, so now I'm
If (LDAP-Group == "OU=technology,OU=mexico,DC=company,DC=com")...
but it doesn't work.
Because that OU isn't an LDAP group.
Post by Tom Yard
Please how can I authenticate users in accordance with their OU and not
their groups?
You need to run a custom LDAP query, and see if it returns any results:

if ("%{ldap:... query OU and User}") {
... matched
}
else {
... it didn't match...
}

What that query is depends on your LDAP config. I'm not enough of an expert in LDAP to say more.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.f
Caines, Max
2018-11-02 09:41:54 UTC
Permalink
I think you want Ldap-UserDN, which contains the DN of the object returned by the LDAP lookup. You need to do a regex match against the trailing part of the string

Regards

Max

-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+max.caines=***@lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 30 October 2018 15:49
To: FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Subject: Re: LDAP OU based authentication
Post by Tom Yard
But now, the AD has changed and it hasn't groups anymore. So I have to do
That's unfortunate. Groups really are a lot simpler.
Post by Tom Yard
Basedn: OU=technology,OU=mexico,DC=company,DC=com
I've read that DN's are also accepted as LDAP-Group values, so now I'm
If (LDAP-Group == "OU=technology,OU=mexico,DC=company,DC=com")...
but it doesn't work.
Because that OU isn't an LDAP group.
Post by Tom Yard
Please how can I authenticate users in accordance with their OU and not
their groups?
You need to run a custom LDAP query, and see if it returns any results:

if ("%{ldap:... query OU and User}") {
... matched
}
else {
... it didn't match...
}

What that query is depends on your LDAP config. I'm not enough of an expert in LDAP to say more.

Alan DeKok.


-
List info/subscribe/unsubscribe? See https://url6.mailanyone.net/v1/?m=1gHWGq-0007i7-5U&i=57e1b682&c=MDKJayVUCk5O7QA8wpcxqXmNTj5RZOdlfP0rqTcqwgTXQBIP-TIoySg_IYM5BKR7JtuITJ0BJPvx4JV89awDEOnFzO7QOQ2mFkN1MkrJhmPvoh2DJTCfkTj873sJtEKT5AcxMDNQVF2nt56M2wngpzgiOUO0ZrrL8WFUKYwNS9XINyBpmTU9ko3voaq0Xx86EVAImE3AmiS2bC5ckis9jWtodrhSmMSiM2HgQQ94v2p_9zLVgngwsHHh1hC2gISY
------------------------------------
This email has been scanned for spam & viruses. If you believe this email should have been stopped by our filters, click the following link to report it (https://portal.mailanyone.net/index.html#/outer/reportspam?token=dXNlcj1tYXguY2FpbmVzQHdsdi5hYy51azt0cz0xNTQwOTE0NTcyO3V1aWQ9NUJEODdEOENEMkQyMUIxMkY5MDEzOEIyQkFENkI4NDM7dG9rZW49OWIzZjE2NTkxYjFmNWIxOGY0M2VkOTNhY2MyYjY2ZjViYmU4MzY0Yjs%3D).

-
List info/subscribe/unsubscribe? See ht

Loading...