[sec: unclas] Huntgroupname checkitem in LDAP

Ranner, Frank MR Frank.Ranner at defence.gov.au
Tue Oct 17 04:16:36 CEST 2006

I have been experimenting with something like this and found you can
(mis)use the hints file to do something like this:
        Hint =

If you want you can use Huntgroup-Name insttead of hint. in that case,
you should add a default, otherwise Huntgroup-Name 
gets set to "".
    Huntgroup-Name =
In this case, Huntgroup-Name gets set to None if it isn't found in ldap.
Some caveats:
The huntgroup file will not be processed if Huntgroup-Name exists
already. Since hints is processed before huntgroups that will be the 
Hints does not implement fallthrough - you get one match only. If you
want to process usernames too, instantiate another instance.
Another approach I have used is similar to your solution. i used rules
in users like this:
DEFAULT Ldap-Group == `%{Huntgroup-Name}`
        Access-Level := RW,
        Service-Type = Administrative-User,
        Cisco-AVPair := "shell:priv-lvl=15",
        Passport-Command-Impact = configuration
The huntgroups are defined in the huntgroups file, or could be defined
as above; users are put into groups corresponding to the huntgroup
You can also generate pseudo groups like this:
DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO`
        Access-Level := RO,
        Service-Type = Nas-Prompt-User

So a user in radius group sydney_RO gets Readonly access to devices in
huntgroup sydney
For this to work you need to apply a patch I submitted in the list some
time ago, otherwise the substitution works only once. 
Frank Ranner

freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freeradius.or
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freer
adius.org] On Behalf Of Jonathan De Graeve
Sent: Tuesday, 17 October 2006 01:18
To: freeradius-users at lists.freeradius.org
Subject: Huntgroupname checkitem in LDAP

	Hello, i'm looking for a way to have my huntgroups defined in
LDAP similar to the way they are in SQL.


	For example if a user belongs to Ldap-Group vpn, the Group in
ldap contains an attribute containing the huntgroup names which the
Group gives access to.


	I tried adding 'checkItem Huntgroup-Name' info to my
ldap.attrmap with attribute 'info' having value: '=~ ^(vpn|sslvpn)$'
(without succes) 



	I had success with the following setup:


	In users:


	DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn

	                        Fall-Through = no


	DEFAULT Huntgroup-Name == sslvpn, Ldap-Group == sslvpn

	                        Fall-Through = no


	DEFAULT Auth-Type := Reject


	This allows to specify which user has access to which nasgroup
by adding groupmemberships to the user. But it breaks the users existing
in SQL.


	I could off course also add the specific SQL-Groups into the
users file but this would still require a reorganisation of the SQL
users since they only have a Huntgroup-Name attribtue for there
grouplevel which specifies multiple huntgroups by using regexp.


	I'm kinda stuck in how to implement it. Any advice would be
greatly appreciated.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061017/0114fbc4/attachment.html>

More information about the Freeradius-Users mailing list