ntlm_auth against AD with validation of multiple group membership

Question

I have been trying to set up freeradius service for our network devices which would authenticate against Active Directory. I have the authentication working right now. The next piece I am trying to accomplish is to check whether the user is part of a group. Which is quite easy using the paramater "require-membership-of" for ntlm_auth

The config I have is this:

program = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN --require-membership-of='DOMAIN\NetworkAdmins' --username=%{mschap:User-Name} --password=%{User-Password}"

But I cannot find a way to check against 2 or more groups. Is there a way to do it somehow ?

Thanks

Answer 1

Short answer: don't use ntlm_auth for this, but use the LDAP module instead.

Group checking via ntlm_auth is very basic. (It's actually also better to skip using ntlm_auth completely and start to use the direct winbind auth built in to FreeRADIUS: see winbind_username and winbind_domain in raddb/mods-available/mschap.)

To have much better control over group membership checking (including correctly checking nested groups) you should not do it as part of ntlm_auth (or winbind auth) at all, but configure and use the ldap module.

See raddb/mods-available/ldap for all the details. You'll need to create a symlink raddb/mods-enabled/ldap -> ../mods-available/ldap to enable it.

With the LDAP module configured you can use the virtual attribute LDAP-Group to test to see if the user is in groups, e.g.

if (LDAP-Group == "group1" && LDAP-Group == "group2") {
    ...
}

If you find that that is still not flexible enough for your configuration, you can use an XLAT expansion to do ad-hoc LDAP queries.