Home / server / Questions / 387248
Accepted
spidernik84
Asked: 2012-05-09 12:25:33 +0800 CST

Configure Freeradius to check a connecting user against multiple LDAP groups

  • 772

I'm setting up a Cisco ASA as a client vpn server. The appliance is relying on freeradius to authenticate the users. Freeradius has in turn been configured to query OpenLDAP.

The modules/ldap file has been configured to check the groups ownership by using the following filter (members are listed under each group by using the attribute memberUid):

groupmembership_filter = "(&(objectClass=posixGroup)(memberUid=%{User-Name}))"

The file freeradius/users has this statement:

DEFAULT LDAP-Group != "cn=unixadm,ou=groups,dc=services,dc=company,dc=com", Auth-Type := Reject

I would like to use multiple membership checks, for example to allow only users belonging to a set of groups. Apparently, freeradius fails if more then one group is specified.

I'm looking for a way to list more than one group.

The operating system used for freeradius and openldap is ubuntu 10.04.

openldap cisco-asa freeradius

1 Answers

  1. Best Answer

    I've found a way! The freeradius/users file has to be configured this way:

    DEFAULT LDAP-Group == "cn=unixadm,ou=groups,dc=services,dc=company,dc=com"
DEFAULT LDAP-Group == "cn=developers,ou=groups,dc=services,dc=company,dc=com"
DEFAULT LDAP-Group == "cn=routingadm,ou=groups,dc=services,dc=company,dc=com"
DEFAULT Auth-Type := Reject
Reply-Message = "Sorry, you're not part of an authorized group! Ask ITOPS for authorization."

    The rest is the same. Tested to be working as expected!

    • 2