Discussion:
Proxy requests on multiple backend Radius servers based on LDAP Group Membership
Mathieu CLAIR
2018-10-15 14:16:05 UTC
Permalink
Hey there,



I'm trying to route Radius requests on 2 backend Radius servers based on
LDAP group membership. The purpose is to send Radius requests on the 1st
server when the user is a member of an LDAP group (example
CN=MyGroup,CN=Users,DC=foo,DC=bar) and to send all other requests on the 2nd
Radius server.

I'm wondering if it's possible and what is the best way to do it.



I started to think about the folowing process :

- declare an LDAP filter like
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
rs,DC=foo,DC=bar))

- use the filter (match not null ?) in the site
configuration



Something that sounds like bellow :



my_ldap_filter =
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
rs,DC=foo,DC=bar))

authorize {

if (%{my_ldap_filter} != "") {

update control {


Proxy-To-Realm := 'Radius1'

}

}

else {

update control {


Proxy-To-Realm := 'Radius2'

}

}

}



I'm not sure about the syntax of this. Of course, I faced several errors
"Entry is not a reference to a module" when I start manually the freeradius
server. Do I need to use the LDAP module ?

Thank you for your answer

BR,



Mathieu

-
List info/subscribe/unsubscribe? See http://www.free
Alan DeKok
2018-10-15 14:24:15 UTC
Permalink
Post by Mathieu CLAIR
I'm trying to route Radius requests on 2 backend Radius servers based on
LDAP group membership. The purpose is to send Radius requests on the 1st
server when the user is a member of an LDAP group (example
CN=MyGroup,CN=Users,DC=foo,DC=bar) and to send all other requests on the 2nd
Radius server.
I'm wondering if it's possible and what is the best way to do it.
Yes, it's possible. Just check for the LDAP group, and set Proxy-To-Realm.
Post by Mathieu CLAIR
- declare an LDAP filter like
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
rs,DC=foo,DC=bar))
- use the filter (match not null ?) in the site
configuration
Why?
Post by Mathieu CLAIR
my_ldap_filter =
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,CN=Use
rs,DC=foo,DC=bar))
You can't just invent things in the configuration file and expect them to do what you want.
Post by Mathieu CLAIR
I'm not sure about the syntax of this. Of course, I faced several errors
"Entry is not a reference to a module" when I start manually the freeradius
server. Do I need to use the LDAP module ?
If you query an LDAP server, you need to configure the LDAP module. This is documented. Then, check the LDAP group as per the documentation.

if (LDAP-Group == "foo") {
update control {
Proxy-To-Realm := "bar"
}
}

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.fr
Mathieu CLAIR
2018-10-15 15:22:34 UTC
Permalink
Hi Alan,

Thank you for your quick and efficient answer. It works like a charm with the ldap module configured.
BR,

Mathieu

-----Message d'origine-----
De : Freeradius-Users [mailto:freeradius-users-bounces+mclair=***@lists.freeradius.org] De la part de Alan DeKok
Envoyé : lundi 15 octobre 2018 16:24
À : FreeRadius users mailing list
Objet : Re: Proxy requests on multiple backend Radius servers based on LDAP Group Membership
Post by Mathieu CLAIR
I'm trying to route Radius requests on 2 backend Radius servers based
on LDAP group membership. The purpose is to send Radius requests on
the 1st server when the user is a member of an LDAP group (example
CN=MyGroup,CN=Users,DC=foo,DC=bar) and to send all other requests on
the 2nd Radius server.
I'm wondering if it's possible and what is the best way to do it.
Yes, it's possible. Just check for the LDAP group, and set Proxy-To-Realm.
Post by Mathieu CLAIR
- declare an LDAP filter like
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,
CN=Use
rs,DC=foo,DC=bar))
- use the filter (match not null ?) in the site
configuration
Why?
Post by Mathieu CLAIR
my_ldap_filter =
(&(objectClass=user)(sAMAccountName=%{User-Name})(memberof=CN=MyGroup,
CN=Use
rs,DC=foo,DC=bar))
You can't just invent things in the configuration file and expect them to do what you want.
Post by Mathieu CLAIR
I'm not sure about the syntax of this. Of course, I faced several
errors "Entry is not a reference to a module" when I start manually
the freeradius server. Do I need to use the LDAP module ?
If you query an LDAP server, you need to configure the LDAP module. This is documented. Then, check the LDAP group as per the documentation.

if (LDAP-Group == "foo") {
update control {
Proxy-To-Realm := "bar"
}
}

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubs

Loading...