Re: Authorization with Active Directory

Tue, 03 Jan 2012 09:15:41 -0800 

On 03/01/12 16:55, suggestme wrote:

Hi,

I have configured freeradius server to authenticate&  authorize user with
the supplied username and password against active directory. Till this
stage; The user can be authenticated and authorized successfully with
credentials provided. For this purpose; user is just authenticated and
authorized depending upon the filter of LDAP module which I have set. My
LDAP module filter configuration is as:

filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

But Now, I want to go deep on authenticating and authorizing user to allow
or reject VPN or Wifi access, etc. For this purpose I have created extension
attribute in Active directory and has assigned the value as "VPN" , "Wifi",
etc..... Now my question is: How can I set the filter in Ldap module of
FreeRadius to just allow the user belonging to VPN or wifi ? Should I need
to add the extension attribute filter to the above mentioned filter? OR


Yes. Since the filter is dynamically expanded you can set:

 filter = "(&(extensionAttrX=%{control:Tmp-String-0})(..original..))"

...and then:

authorize {
  ...
  if (Some-Condition == Some-Value) {
    update control {
     Tmp-String-0 := VPN
    }
  }
  else {
    update control {
     Tmp-String-0 := Wifi
    }
  }
  ldap
  if (notfound) {
    reject
  }
  ...
}


should I need to define 2 filters: the above one and another for extension
attribute? I tried defining 2 filters separately; it didn't work.
No. 2 filters won't work - "filter" is a singleton config item of the "ldap" module. 



I know some people use the concept of "Group" for this purpose. In my case,
I can't use Group. I just have to authenticate and authorize user just using
Active Directory attribute.
The *other* option is to query the attribute from the LDAP directory, then check it in FreeRADIUS, like so: 

authorize {
  ...
  ldap
  update request {
Tmp-String-0 := "%{ldap:///%{Ldap-UserDN}?extensionAttrX?base?objectClass=*}"; 
  }
  if ((Tmp-String-0 == Wifi) && (...)) {
    ...
  }

}
Which is best will depend on your tastes and needs. The first might be slightly quicker, because it will only use 1 LDAP query instead of 2. 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to