clash between group LDAP

Dusty Doris freeradius at mail.doris.cc
Thu Jul 21 16:02:36 CEST 2005


> Dear all,
>
>  I've LDAP tree structure as below, to seperate ADSL & DIALUP. But
> encounter one problem.. when userA = userB, LDAP will found userA's
> account although userB that actually login. This maybe due to DEFAULT
> sequence in users file.
>
>  Any idea to solve this ? thanks..
>
>
>                                 ou=AAA
>                                      |
>                                      |
>                     ----------------------------------
>                     |                                                 |
>                  ou=ADSL                            ou=DIALUP
>
>  dn: uid=userA,ou=ADSL,ou=AAA ...          dn:
> uid=userB,ou=DIALUP,ou=AAA....
>  serviceflag: ADSL                                       serviceflag: DIALUP
>


I'm curious as to why you've structured it that way?  It seems to me that
you would want one tree for users and then define what services the users
have in their profile.  That way a user can be both adsl and dial, without
having to be present in both trees.

Rather than creating a new tree for each service, it makes more sense to
define your tree based on users.  Then each service they have access to is
merely an attribute of that user.

Imagine what it will look like if you try to scale that and add 10
different services such as FTP, webhosting, portal logins, vpn, etc...

the ldap_howto.txt doc explains how you can do this, but here is a
summary.


dn: uid=user1,ou=radius,dc=yourdomain
uid: user1
objectclass: radiusprofile
userpassword: pass
radiusgroupname: dial
radiusgroupname: adsl

dn: uid=user2,ou=radius,dc=yourdomain
uid: user2
objectclass: radiusprofile
userpassword: pass
radiusgroupname: dial
radiusgroupname: vpn

Then you need something to determine if this is coming from a dial nas,
adsl nas, vpn nas, etc...  Usually you can use nas-ip-address or
nas-port-type or something along that lines.

Say you had two dial NAS and one ADSL nas.

in huntgroups.

dial	NAS-IP-Address == 10.0.0.1
dial	NAS-IP-Address == 10.0.0.2

adsl	NAS-IP-Address == 10.0.0.3

in users

DEFAULT Huntgroup-Name == dial, Ldap-Group == dial

DEFAULT Huntgroup-Name == adsl, Ldap-Group == adsl

DEFAULT Auth-Type := Reject

That config above would do the following:

1.  If the access-request comes from your dial nas, check to see if the
user has radiusgroupname: dial.  If so, authorize.  If not, reject.

2.  If the access-request comes from your adsl nas, check to see if the
user has radiusgroupname: adsl.  If so, authorize.  If not, reject.

I think you'd be much happier with a format like that, especially if there
is any chance that you might start adding new services.

-Dusty



More information about the Freeradius-Users mailing list