[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: EAP-TLS with LDAP user attribute check
From: Alan DeKok <aland () deployingradius ! com>
Date: 2021-01-08 21:02:50
Message-ID: CFA21DBB-69C5-4518-9D0C-DA83A83B1837 () deployingradius ! com
[Download RAW message or body]
On Jan 7, 2021, at 8:22 PM, stray electron <strayedelectron@gmail.com> wrote:
> How can I check an LDAP group membership (or attribute) in an EAP-TLS setup?
Check it once, and cache the result. Or, check it in post-auth.
> I try to set up a Freeradius 3.0 where the client auth is done with EAP-TLS but \
> also checks if the client is in the LDAP (and/or check some user attribute in the \
> LDAP). If the client has a valid certificate but is not in the LDAP then he should \
> be rejected.
It's simpler to just revoke the certificate. But whatever.
> Since the auth is already done by EAP-TLS certificates no user bind to the LDAP \
> should be needed, besides I don't have the user password anyway. But I have an LDAP \
> account configured for the Radius server so it can access the user data.
> So far EAP-TLS works fine, I suppose the 10-times repetition of the authorize part \
> is due to the EAP messages exchanged with the client, or am I wrong?
It's because you made it do the LDAP checks in the "authorize" section, i.e. before \
the user is authenticated.
> Problem is though, that the LDAP search is done 10-times too for each client \
> request. I think this would lead to a huge load of our LDAP server.
> I tried to put the ldap stanza into other places like post-auth, but then it tries \
> to write to the LDAP, or in authenticate where the user password is required.
You can do:
post-auth {
...
ldap.authorize
...
}
And run the "authorize" method of the "ldap" module.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic