[RADIATOR] Use AD group membership for SQL lookups?

Heikki Vatiainen hvn at open.com.au
Mon Apr 14 10:40:22 CDT 2014


On 04/14/2014 05:56 PM, Martin Burman wrote:

> 1: check username/password combo. - OK
> 2: Search from a set of AD groups until a match EVENTUALLY is found. -OK
> 3: query MySQL for attributes/values based on username. - OK
> 4: query MySQL for the attributes and values based on group name. - Problem here

Hello Martin,

thanks for the full examples. About step 2, I'd use AuthAttrDef to pick
and choose just the attributes that are interesting. If you store
attributes in the reply, for example, you can pick them in step 4. with
something like this:

AuthSelect select PASSWORD,REPLYATTR from GROUPSCRIBERS where GROUPNAME=?
AuthAttrDef %{x-memberof}

It might be you need to do a small Hook to pick just the interesting
part from the returned memberOf value. That interesting part can then be
stored in the reply.

If you use this:
AuthAttrDef memberOf,x-memberof,request

You will get the full value of memberOf in the request. If you do this:
AuthAttrDef memberOf

the attributes will not stored in request or reply, but will be
available from the LDAP result for you to process with PostSearchHook
and store in the request for later use.

> (BTW: The Cisco AV-Pairs I'm using is allowed to be sent more than once, in Freeradius this is accomplished with different assignment operators (':=' instead of '=' if I remember it right).
> How is this implemented in Radiator?)

If you use GENERIC with AuthColumnDef, it will add all attributes from
SQL and cisco-avpair can be there multiple times. There is no separate
assigment operator.

> Or am I doomed to use hooks?

Maybe :)

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list