Active directory ldap groups

Thu, 03 Dec 2009 06:04:15 -0800 

Hi,

In modules/ldap, I have:

ldap ldap_staff{

Queries the staff ou in AD

}

ldap ldap_student{

Queries the student ou in AD

}

In authorise section of inner tunnel virtual server I have:

        ldap_staff
        if (ok) {
            update reply {
                Tunnel-Type = "VLAN"
                Tunnel-Medium-Type = "IEEE-802"
                Tunnel-Private-Group-Id = 141
            }
        }
        else {
          ldap_student
          if (ok) {
            update reply {
                Tunnel-Type = "VLAN"
                Tunnel-Medium-Type = "IEEE-802"
                Tunnel-Private-Group-Id = 142
            }
          }
          else {
               reject
          }
        }


All working OK and happily authorising any user who exists in Active Directory 
and instructs the NAS which vlan to put them into.

Now I'm trying to authorise/authenticate users in a particular AD group for 
console access to the NAS (cisco switch)

In default virtual server I have, after pap:

$INCLUDE local/default_policy

And in local/default_policy:

if(!control:Auth-Type && request:NAS-Port-Type == Async && Ldap-Group == 
ADGROUP) {
     update control {
          Auth-Type = "ntlm_auth"
     }
}

ADGROUP is replaced with whichever group has the appropriate users

If I don't have the Ldap-Group condition everything works except any valid 
username/password pair works.
When I add the condition, radiusd -x shows
rlm_ldap: performing search in ou=students, dc=ad, dc=hud, dc=ac, dc=uk, with 
filter (sAMAccountName=user)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed


First question - How do I tell rlm_ldap to query the staff ou without breaking 
the bit that is already working
Second question - Is there any reason I shouldn't use the "$INCLUDE 
local/default_policy" construct. The idea is to make the policies easy to find 
as they get more complex; there are several more groups of users to go yet.


Thanks in advance,

Leighton


---
This transmission is confidential and may be legally privileged. If you receive 
it in error, please notify us immediately by e-mail and remove it from your 
system. If the content of this e-mail does not relate to the business of the 
University of Huddersfield, then we do not endorse it and will accept no 
liability.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to