(RADIATOR) AD Nesting...

Hugh Irvine hugh at open.com.au
Mon Jul 17 02:10:20 CDT 2006

Hello Daniel -

I am not sure what the best way to go about this is, but I think you  
will either need to use a hook or cascaded AuthBy clauses.

In the first instance you can add a second AuthBy FILE clause to  
check the nested groups, which would involve a static list in the  
file referenced by the AuthBy FILE clause. You would return the group  
from LDAP and then check the "nesting" in the AuthBy FILE. You could  
probably do the same thing with a second AuthBy LDAP2, but it would  
involve a second LDAP lookup that you may want to avoid.

Here is a skeleton example:

# define Realm or Handler

<Handler ....>

	AuthByPolicy ContinueWhileAccept

	<AuthBy LDAP2>
	# check user and retrieve group

	<AuthBy FILE>
	# check group


If you have any questions I will try to help.



On 17 Jul 2006, at 12:15, Daniel Harris wrote:

> I am not sure if this question has been asked it may have been and  
> I missed it on the archive, but, we are using Radiator and have no  
> problems with LDAP2 up until now. We are migrating to Win2K3 Server  
> R2, and need to be able to check if a users and/or groups are part  
> of a specific group. Just to clarify, say that I have a Group  
> called Radius Users. And instead of putting all users into that  
> group, I want to put already created groups that contain these  
> Users into the "Radius" group. When we query "Radius" group with  
> LDAP, it returns what users and groups are a part of that group.  
> But if you query a User, it won't tell you that user is a part of  
> the "Radius" group. It will tell you the group that is nested in  
> the Radius group but that's where it stops.
> Is there a way that LDAP can check Nested groups? We have not  
> really found anything on the Internet that says either Yes or No.  
> And our other alternative is to use "ntlm_auth". We would prefer to  
> use LDAP2 for Radius.
> Appreciate any help or clarification. Thanks.


Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
CATool: Private Certificate Authority for Unix and Unix-like systems.

Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list