[RADIATOR] Radiator / LDAP / matching on multi-valued field

Martin Mersberger martin at mersberger.de
Sat Feb 12 11:47:59 UTC 2022


Hi Dave,

I'm sure, there are multiple options for this.

We solved it by using two settings - setting a handler with 
NAS-IP-Address and run the AuthBy Ldap2 with a modified searchFilter[1], 
which returns only AD/LDAP entries matching the relevant group.


as example:

<Handler NAS-IP-Address = /^<IP ADDRESS REGEX>$/ >
<AuthBy LDAP2>
     Host    <AD DC's>
     UseSSL
     AuthDN  <AD Bind User>
     AuthPassword <AD Bind Passwd>
     Version 3
     SSLVerify require
     SSLCAFile /etc/ssl/radius/ca.crt
     BaseDN  CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com
     SearchFilter (&(sAMAccountName=%1)(memberOf=CN=Admin 
Access,CN=Users,DC=MYDOMAIN,DC=mycompany,DC=com))
</AuthBy>
</Handler>


And repeat for all IP Ranges, which need different handling



hope, it helps ;-)


@Heikki et all - improvements are welcome - that configuration has a 
couple of years of history and more elegant options may have arrived in 
the meantime ;-)

cheers
	Martin



[1] ie: 
http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm




More information about the radiator mailing list