[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Uses of Active directory User's attribute
From: Luc Paulin <paulinster () gmail ! com>
Date: 2019-02-28 14:42:45
Message-ID: CA+Dp=BEy076cJymV8=erQMo5StN3ULBL8dPbOCcJjkLjTP42qQ () mail ! gmail ! com
[Download RAW message or body]
For anyone who may lookup for that kind of information, I dig a bit more
and base ont he following thread (
http://lists.freeradius.org/pipermail/freeradius-users/2016-August/084450.html)
I manage to make it working.
So here's what I did...
Create another server instance file for ldap
ldap ldap_get_department {
server = "myserver.example.com"
port = 389
identity = "radius@myserver.example.com"
password = "password"
base_dn = "DC=domain,DC=example,DC=com"
update {
reply:department := 'department'
}
user {
base_dn = "${..base_dn}"
filter =
"(&(objectCategory=person)(objectClass=user)(sAMAccountName=%{%{%{Stripped-User-Name}:-%{mschap:User-Name}}:-%{User-Name}}))"
}
options {
chase_referrals = yes
rebind = yes
}
}
In the inner tunnel post-auth section, I did enable that part..
if (1) {
update reply {
User-Name !* ANY
Message-Authenticator !* ANY
EAP-Message !* ANY
Proxy-State !* ANY
MS-MPPE-Encryption-Types !* ANY
MS-MPPE-Encryption-Policy !* ANY
MS-MPPE-Send-Key !* ANY
MS-MPPE-Recv-Key !* ANY
}
Also added the ldap_get_department module wihtin the authorize portion of
inner-tunnel
And in the post-auth of the default server added the check for attribute
if ("%{toupper:%{session-state:department}}" == "IT/DEV") {
if ("%{toupper:%{Ldap-Group}}" == "VLAN_MTL_ADMIN") {
update reply {
Tunnel-Private-Group-Id := 149
}
} else {
update reply {
Tunnel-Private-Group-Id := 143
}
}
}
--
!!!!!
( o o )
--------------oOO----(_)----OOo--------------
Luc Paulin
email: paulinster(at)gmail.com
Skype: paulinster
Le jeu. 21 févr. 2019, à 10 h 41, Luc Paulin <paulinster@gmail.com> a
écrit :
> Hi List,
>
> I was wondering if it would be possible to use the Active Directory user's
> attributes. As we're standardizing our AD, all user should have the
> Department attribute field fill. So instead of using AD groups to
> dynamically assign vlan, I was thinking to use that field instead. Would
> that be something possible?
>
> Thanx!
>
> --
> !!!!!
> ( o o )
> --------------oOO----(_)----OOo--------------
> Luc Paulin
> email: paulinster(at)gmail.com
> Skype: paulinster
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic