Hello List, Suppose the following situation:
1.) All the users and groups are stored in AD. 2.) The AD schema cannot be extended to hold RADIUS attributes. 3.) But the RADIUS attributes can be stored in a database. Is there a way to configure FreeRADIUS to compile a user's group membership via rlm_ldap and then pass that group information on to rlm_sql for group authorization? I thought about getting the user's groups by fetching the multi- valued 'memberOf' attribute from AD and then copying it to the control list via ldap.attrmap. But I don't see any way to then make rlm_sql use that attribute in an authorization query (at least in any sort of useful manner). One work-around is to periodically export the AD group membership data and rebuild the usergroup table from it. I'd really like to avoid this approach if at all possible. -- Mike Loosbrock Bethel University Network Services 651-638-6723 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
