[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Help with Freeradius and Google Suite LDAP
From: Alan DeKok <aland () deployingradius ! com>
Date: 2023-12-16 19:18:18
Message-ID: 361240EB-3331-4804-88B2-A4E80904CFB8 () deployingradius ! com
[Download RAW message or body]
On Dec 15, 2023, at 1:01 PM, Chris Bradley <bradleyc@bcsc.k12.in.us> wrote:
>
> Hello everyone! :)
>
> I have this working but it's not working for all of our users.
>
> We have users in our Gsuite with to different email addresses:
>
> domain.k12.in.us and students.domain.k12.in.us
>
> I can authenticate users from one or the other by modifying the ldap file
> under mods-enabled and changing the base_DN to match whichever group I want
> to authenticate.
The "base_dn" field is dynamically expanded at run-time. So you can set it as \
necessary. (mostly). For various security reasons, it doesn't accept commas, \
brackets, etc. But you can add names.
> Can anyone, at a very simple level, explain to me how to allow the
> freeradius server to authenticate users from two base_dn (domain.k12.in.us
> and students.k12.in.us) using a single server? I've been tinkering with the
> files and I'm not having any luck.
Edit raddb/dictionary, add:
ATTRIBUTE BaseDN-Group 3000 string
This defines a base dn group.
Then in mods-available/default, "authorize" section:
if (User-Name =~ /^([^.]+)\.k12\.in\.us/) {
update request {
&BaseDN-Group := "%{1}"
}
}
Then in mods-enabled/ldap, edit it to say:
base_dn = "dc=%{BaseDN-Group},dc=k12,dc=in,dc=us"
i.e. dynamically add a prefix to the base_dn, depending on the domain.
That should work. You night have to tweak the base_dn string based on your local \
configuration, but the above example should be a good start.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic