How to use LDAP Group attributes in post-auth section?

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

How to use LDAP Group attributes in post-auth section?

uj2.hahn
Hi!
I use freeradius 3.0.17 with LDAP module for a school.
There are different LDAP groups (e.g. students and teacher).
WLAN login time should be limited but differently for different groups.
In freeradius I already extracted the LDAP group the user belongs to and
I know
how to limit  the logintime (Current-Time == "wk1602-0800") or so.
But of course I don't want to hardcode the group specific time strings.
Idea is to define group attributes in LDAP which contain these strings.

- Is it possible to map _group _specific attributes into LDAP module of
freeradius,
   may be some code snippets as template....
- so far I use OpenLDAP as training vehicle. Here I can add a radius
scheme. But
   final solution has to be (existing) Active Directory. Is above method
usable there
   as well?
- May be there is a completely different solution out there I'm not
aware of.
   Any hints are very welcome!


Thanks
Uwe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to use LDAP Group attributes in post-auth section?

Alan DeKok-2
On Jan 8, 2020, at 12:26 PM, [hidden email] wrote:

>
> Hi!
> I use freeradius 3.0.17 with LDAP module for a school.
> There are different LDAP groups (e.g. students and teacher).
> WLAN login time should be limited but differently for different groups.
> In freeradius I already extracted the LDAP group the user belongs to and I know
> how to limit  the logintime (Current-Time == "wk1602-0800") or so.
> But of course I don't want to hardcode the group specific time strings.
> Idea is to define group attributes in LDAP which contain these strings.
>
> - Is it possible to map _group _specific attributes into LDAP module of freeradius,
>   may be some code snippets as template....

  You can do an LDAP query, off the time limits are in LDAP.

> - so far I use OpenLDAP as training vehicle. Here I can add a radius scheme. But
>   final solution has to be (existing) Active Directory. Is above method usable there
>   as well?

  Sure, if you extend the schema.

> - May be there is a completely different solution out there I'm not aware of.
>   Any hints are very welcome!

  TBH, the time limit format is very RADIUS specific.  It's best to put the rules into FreeRADIUS:

        if (LDAP-Group == "students")  {
                update reply {
                        Login-Time := "wk0900-1600"
                }
        }

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to use LDAP Group attributes in post-auth section?

uj2.hahn
Hi, Alan!
Thanks again for very quick help. Some comments:

   > You can do an LDAP query, off the time limits are in LDAP.

Is there any hook in the LDAP module for that? Or do you mean to call a
subprocess
like " `ldapsearch ......` " in the post-auth section? Guess this has
performance disadvantages
because it would be called by each user login.
Is there a freeradius initialization module which can be used for this
query to do it once only?

Thanks
Uwe

On 08.01.2020 19:14, Alan DeKok wrote:

> On Jan 8, 2020, at 12:26 PM, [hidden email] wrote:
>> Hi!
>> I use freeradius 3.0.17 with LDAP module for a school.
>> There are different LDAP groups (e.g. students and teacher).
>> WLAN login time should be limited but differently for different groups.
>> In freeradius I already extracted the LDAP group the user belongs to and I know
>> how to limit  the logintime (Current-Time == "wk1602-0800") or so.
>> But of course I don't want to hardcode the group specific time strings.
>> Idea is to define group attributes in LDAP which contain these strings.
>>
>> - Is it possible to map _group _specific attributes into LDAP module of freeradius,
>>    may be some code snippets as template....
>    You can do an LDAP query, off the time limits are in LDAP.
>
>> - so far I use OpenLDAP as training vehicle. Here I can add a radius scheme. But
>>    final solution has to be (existing) Active Directory. Is above method usable there
>>    as well?
>    Sure, if you extend the schema.
>
>> - May be there is a completely different solution out there I'm not aware of.
>>    Any hints are very welcome!
>    TBH, the time limit format is very RADIUS specific.  It's best to put the rules into FreeRADIUS:
>
> if (LDAP-Group == "students")  {
> update reply {
> Login-Time := "wk0900-1600"
> }
> }
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to use LDAP Group attributes in post-auth section?

L. Rose
Am 08.01.20 um 19:57 schrieb [hidden email]:
> Is there a freeradius initialization module which can be used for this query to do it once only?

I'm quite new to freeradius, but I think the python module would be able to fulfill your needs. You can write a simple python wrapper script that is initialized once and provides certain functions that get called by the freeradius daemon. Then you'd only need to find a way to express your requests in python (which should be possible) and then the initialization isn't necessary for each request but only once. Of course, there might be a way to do this with specific modules instead of the general python module that might still be better, but it just came across me when reading your question.

Kind regards,

Lukas


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to use LDAP Group attributes in post-auth section?

Alan DeKok-2
In reply to this post by uj2.hahn
On Jan 8, 2020, at 1:57 PM, [hidden email] wrote:

>
> Hi, Alan!
> Thanks again for very quick help. Some comments:
>
>   > You can do an LDAP query, off the time limits are in LDAP.
>
> Is there any hook in the LDAP module for that? Or do you mean to call a subprocess
> like " `ldapsearch ......` " in the post-auth section? Guess this has performance disadvantages
> because it would be called by each user login.
> Is there a freeradius initialization module which can be used for this query to do it once only?

  You can use dynamic expansions:

        update reply {
                Reply-Message := "%{ldap: ... ldap query ... }"
        }

  The server will run the LDAP query, and copy the string output to the attribute.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to use LDAP Group attributes in post-auth section?

uj2.hahn
 Hah!!
 This works very well! Not only in LDAP module but in post-auth section
of default file as well.
 And not only related to radius profile LDAP attributes but to any!
 It took me a while to find out the right syntax but finally I found it
in the documentation:

 update reply {
 Reply-Message :=
"%{ldap:ldap:///cn=gast,ou=groups,dc=kms,dc=de?radiusLoginTime}"
 }

Thanks a lot (again)!

Regards
Uwe

On 08.01.2020 21:52, Alan DeKok wrote:

> On Jan 8, 2020, at 1:57 PM, [hidden email] wrote:
>
>> Hi, Alan!
>> Thanks again for very quick help. Some comments:
>>
>>> You can do an LDAP query, off the time limits are in LDAP.
>>
>> Is there any hook in the LDAP module for that? Or do you mean to call a subprocess
>> like " `ldapsearch ......` " in the post-auth section? Guess this has performance disadvantages
>> because it would be called by each user login.
>> Is there a freeradius initialization module which can be used for this query to do it once only?
>
> You can use dynamic expansions:
>
> update reply {
> Reply-Message := "%{ldap: ... ldap query ... }"
> }
>
> The server will run the LDAP query, and copy the string output to the attribute.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html [1]
 

Links:
------
[1] http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html