Occasional Contributor I

Mapping user roles to OU returned from AD

When amigopod is integrated with AD is there a way to have it return a different user role based on the OU of the user that has been authenticated?

Frequent Contributor II

Re: Mapping user roles to OU returned from AD

There is a wealth of options available if you are using clearpass (avenda) as a backend which I have integrated with AD, which is what I have done. Connect amigopod to clearpass via radius to make more complex policy decisions. Pass a VSAs back to amigopod. hope this helps?

Re: Mapping user roles to OU returned from AD


Check the "Advanced Authorization" section of the Amiogopod Exernal Authentication Servers guide.  It has an example (below) of assigning roles based on OUs.   When Amigopod is merged with ClearPass, there are easier and more defined ways of doing this.


Advanced authorization — Example 1 


This example covers the case where a domain contains several organizational units (OUs), and the
users in each OU are to be mapped to a specific RADIUS role ID.
NOTE To determine the appropriate role ID, navigate to RADIUS Services > User Roles and check the
ID column for the appropriate role.

For example, to implement the following configuration:
• OU East should be mapped to RADIUS role ID 4
• OU Central should be mapped to RADIUS role ID 5
• OU West should be mapped to RADIUS role ID 6

Make sure the following configuration is set:

1. First, ensure that the Base DN for the authentication server is set to the root of the domain –
for example: DC=amigopod,DC=local – rather than the “users” container. This is necessary as
the organizational units are located below the top level of the directory and cannot be
searched from the CN=Users container.
2. Select the authorization method Use PHP code to assign a user role (Advanced) and use the
following code:
if (stripos($user['distinguishedname'],'OU=East')) return 4;
if (stripos($user['distinguishedname'],'OU=Central')) return 5;
if (stripos($user['distinguishedname'],'OU=West')) return 6;
return false;

Explanation: During user authorization, the distinguished name of the user (which will contain the
user’s OU) is checked against the defined rules, and an appropriate role ID is returned. If no match
is found, false is returned, which means that authorization fails and the user’s Access-Request will
be rejected.

Systems Engineer, Northeast USA

Occasional Contributor I

Re: Mapping user roles to OU returned from AD

Ok excellent thank you very much I will go try that and look through the guide. 

Search Airheads
Showing results for 
Search instead for 
Did you mean: