Nasser Heidari

2012-07-17

Freeradius – check nested ldap group membership

Filed under: Linux — Nasser Heidari @ 15:23
Tags: ,

if your organization have lots of users and groups , you also may use nested groups.
for example, UserA is a member of SalesGroup, and SalesGroup is a member of VPN_Group.
I want all members of VPN_GROUP able to connect to VPN Server. if you use normal groupmembership_filter in your ldap module , then UserA will not be able to authenticate as he is not a member of VPN_Group.
If you need such thing , then the only way (that I know) is making use of active directory Matching rule OID (LDAP_MATCHING_RULE_IN_CHAIN).

I made it work using following group membership query in ldap module:

groupmembership_filter = "(&(objectcategory=group)(member:1.2.840.113556.1.4.1941:=%{control:Ldap-UserDn}))"

read more here about ldap search filters.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: