If one has (just for example) 1000 groups, this is a lot of overhead - checking every group. Also, what if they belong to several groups? The last group checked would be the only one that matters - unless of course you account for that somehow in your code.
Is there a way to reference the users "primary" group - does LDAP / AD support such a concept? Or, "fetch" their full distinguished name using just their common / logon name, such that? - Login name is ggatten - Get DN for ggatten - DN is ggatten.neteng.msd.waddell.com Once I have DN I can write some code to extract the parent OU for the user, in this case "neteng". Then, can I do something like: Vlan-Attribute := "Ldap-group.neteng.someattribute" I realize the syntax herein is TOTALLY wrong, I'm just looking for some validation on the concept. G -----Original Message----- From: freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org [mailto:freeradius-users-bounces+ggatten=waddell....@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Wednesday, May 18, 2011 10:58 AM To: freeradius-users@lists.freeradius.org Subject: Re: Active directory groups On 18/05/11 16:21, Doty, Seth wrote: > So far I have the ldap component querying AD correctly and I have the > ntlm_auth component doing the same and each individually passing from a > radtest. My question now revolves around passing the groups in our > setup and if this is even possible using the protocols listed above. > Unfortunately, we don't have the option to move away from these > protocols in our environment. I'm a bit of a freeradius noob so any > help is appreciated. I don't really understand what you want, so I'm going to guess. You have multiple groups. You want to read those from AD via LDAP, and then set reply variables. The main way to do this is to use unlang or a files module to check each group in turn. For example, in /etc/raddb/sites-enabled/inner-tunnel: post-auth { ... if (Ldap-Group == staff) { update reply { Vlan-Attribute := 123 } } elsif (Ldap-Group == students) { .. } else { .. } } Is this what you want? If not, can you explain why not? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html