[RADIATOR] Different Reply Item based on LDAP (AD) Group membership

Hugh Irvine hugh at open.com.au
Fri Mar 6 23:04:43 UTC 2020

Hi Neil -

It depends on how you are going to return the reply attribute(s)?

It also depends on how the reply attributes are stored, if not directly listed in the AuthBy LDAP2 clause?

If the reply attribute(s) is/are static in the configuration file, then yes multiple AuthBy LDAP2 clauses is the simplest way.

For more complex scenarios you may need to use a PostSearchHook and some form of external storage.

In the general case, each piece of network equipment would be listed with an Identifier tag to group them, and your configuration file would be based on Handlers using the Client-Identifier.

Or alternatively, your PostAuthHook in the AuthBy LDAP2 clause would use the Client-Identifier together with the LDAP group information to query a UserGroup/DeviceGroup matrix in an SQL database for example.

If you can give us a bit more detail we may be able to make better suggestions.



> On 7 Mar 2020, at 09:41, Johnson, Neil M <neil-johnson at uiowa.edu> wrote:
> What is the correct way to return a different reply attribute depending on a user’s AD member ship in group using AuthBy LDAP2 ?
> The idea is to give some users full privileges to network equipment or limited privileges based on AD group membership.
> <AuthBy LDAP2>
>     Identifier uiowa_ad_users
>     Host XXXXX.iowa.uiowa.edu
>     AuthDN CN=serviceid,OU=ServiceIDs,OU=User Accounts,DC=iowa,DC=uiowa,DC=edu
>     AuthPassword SECRET
>     Port 389
>     UseTLS
>     SSLVerify None
>     BaseDN DC=iowa,DC=uiowa,DC=edu
>     Scope base
>     SearchFilter (objectclass=*)
>     ServerChecksPassword
>     UsernameAttr sAMAccountName
> </AuthBy>
> Do I use multiple AuthBy LDAP2 sections with different search filters in a AuthBy GROUP, or is there something I can do with AuthAttrDef ?
> Multiple Google searches have been inconclusive and I’m not sure what the best solution is according to the manual.
> Thanks.
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator


Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc.

More information about the radiator mailing list