[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: EAP-TLS with LDAP user attribute check
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2021-01-08 21:02:50
Message-ID: CFA21DBB-69C5-4518-9D0C-DA83A83B1837 () deployingradius ! com
[Download RAW message or body]

On Jan 7, 2021, at 8:22 PM, stray electron <strayedelectron@gmail.com> wrote:
> How can I check an LDAP group membership (or attribute) in an EAP-TLS setup?

  Check it once, and cache the result.  Or, check it in post-auth.

> I try to set up a Freeradius 3.0 where the client auth is done with EAP-TLS but \
> also checks if the client is in the LDAP (and/or check some user attribute in the \
> LDAP). If the client has a valid certificate but is not in the LDAP then he should \
> be rejected.

  It's simpler to just revoke the certificate.  But whatever.

> Since the auth is already done by EAP-TLS certificates no user bind to the LDAP \
> should be needed, besides I don't have the user password anyway. But I have an LDAP \
> account configured for the Radius server so it can access the user data. 
> So far EAP-TLS works fine, I suppose the 10-times repetition of the authorize part \
> is due to the EAP messages exchanged with the client, or am I wrong?

  It's because you made it do the LDAP checks in the "authorize" section, i.e. before \
the user is authenticated.

> Problem is though, that the LDAP search is done 10-times too for each client \
> request. I think this would lead to a huge load of our LDAP server. 
> I tried to put the ldap stanza into other places like post-auth, but then it tries \
> to write to the LDAP, or in authenticate where the user password is required.

  You can do:

post-auth {
	...
	ldap.authorize
	...
}

  And run the "authorize" method of the "ldap" module.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]