[RADIATOR] Radiator / LDAP / matching on multi-valued field
Martin Mersberger
martin at mersberger.de
Sat Feb 12 11:47:59 UTC 2022
Hi Dave,
I'm sure, there are multiple options for this.
We solved it by using two settings - setting a handler with
NAS-IP-Address and run the AuthBy Ldap2 with a modified searchFilter[1],
which returns only AD/LDAP entries matching the relevant group.
as example:
<Handler NAS-IP-Address = /^<IP ADDRESS REGEX>$/ >
<AuthBy LDAP2>
Host <AD DC's>
UseSSL
AuthDN <AD Bind User>
AuthPassword <AD Bind Passwd>
Version 3
SSLVerify require
SSLCAFile /etc/ssl/radius/ca.crt
BaseDN CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com
SearchFilter (&(sAMAccountName=%1)(memberOf=CN=Admin
Access,CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com))
</AuthBy>
</Handler>
And repeat for all IP Ranges, which need different handling
hope, it helps ;-)
@Heikki et all - improvements are welcome - that configuration has a
couple of years of history and more elegant options may have arrived in
the meantime ;-)
cheers
Martin
[1] ie:
http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
More information about the radiator
mailing list