Configure Freeradius to check a connecting user against multiple LDAP groups

Question

I'm setting up a Cisco ASA as a client vpn server. The appliance is relying on freeradius to authenticate the users. Freeradius has in turn been configured to query OpenLDAP.

The modules/ldap file has been configured to check the groups ownership by using the following filter (members are listed under each group by using the attribute memberUid):

groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{User-Name}))"

The file freeradius/users has this statement:

DEFAULT LDAP-Group != "cn=unixadm,ou=groups,dc=services,dc=company,dc=com", Auth-Type := Reject

I would like to use multiple membership checks, for example to allow only users belonging to a set of groups. Apparently, freeradius fails if more then one group is specified.

I'm looking for a way to list more than one group.

The operating system used for freeradius and openldap is ubuntu 10.04.

score 2 · Accepted Answer · answered May 09 '12 at 07:32

2

I've found a way! The freeradius/users file has to be configured this way:

DEFAULT LDAP-Group == "cn=unixadm,ou=groups,dc=services,dc=company,dc=com"
DEFAULT LDAP-Group == "cn=developers,ou=groups,dc=services,dc=company,dc=com"
DEFAULT LDAP-Group == "cn=routingadm,ou=groups,dc=services,dc=company,dc=com"
DEFAULT Auth-Type := Reject
Reply-Message = "Sorry, you're not part of an authorized group! Ask ITOPS for authorization."

The rest is the same. Tested to be working as expected!

answered May 09 '12 at 07:32

spidernik84

319
1
5
12

Its not working in my case – Satish Nov 02 '17 at 01:57
in my case it works like this `DEFAULT LDAP-Group == "cn=unixadm,ou=groups,dc=services,dc=company,dc=com", TunnelGroupName=F00` – Satish Nov 02 '17 at 02:39

Configure Freeradius to check a connecting user against multiple LDAP groups

1 Answers1

Linked