|
I have been experimenting with something like this and
found you can (mis)use the hints file to do something like
this:
DEFAULT
Hint
=
`%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}`
If you want you can use Huntgroup-Name insttead of hint. in
that case, you should add a default, otherwise Huntgroup-Name
gets set to "".
DEFAULT
Huntgroup-Name =
`%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}:-None}`
In this case, Huntgroup-Name
gets set to None if it isn't found in ldap.
Some
caveats:
The huntgroup file will not
be processed if Huntgroup-Name exists already. Since hints is processed before
huntgroups that will be the
case.
Hints does not implement
fallthrough - you get one match only. If you want to process usernames too,
instantiate another instance.
Another approach I have used
is similar to your solution. i used rules in users like
this:
DEFAULT Ldap-Group ==
`%{Huntgroup-Name}`
Access-Level
:= RW,
Service-Type =
Administrative-User,
Cisco-AVPair
:= "shell:priv-lvl=15",
Passport-Command-Impact = configuration
The huntgroups are defined
in the huntgroups file, or could be defined as above; users are put into groups
corresponding to the huntgroup names.
You can also generate pseudo
groups like this:
DEFAULT Ldap-Group ==
`%{Huntgroup-Name}_RO`
Access-Level := RO,
Service-Type =
Nas-Prompt-User
So a user in radius group
sydney_RO gets Readonly access to devices in huntgroup
sydney
For this to work you need to
apply a patch I submitted in the list some time ago, otherwise the substitution
works only once.
regards
Frank
Ranner
From:
freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org]
On Behalf Of Jonathan De Graeve
Sent: Tuesday, 17 October 2006
01:18
To: freeradius-users@lists.freeradius.org
Subject:
Huntgroupname checkitem in LDAP
Hello, i’m looking for a way to
have my huntgroups defined in LDAP similar to the way they are in
SQL.
For example if a user belongs to
Ldap-Group vpn, the Group in ldap contains an attribute containing the
huntgroup names which the Group gives access to.
I tried adding ‘checkItem
Huntgroup-Name’ info to my ldap.attrmap with attribute ‘info’ having value:
‘=~ ^(vpn|sslvpn)$’ (without succes)
I had success with the following
setup:
In
users:
DEFAULT Huntgroup-Name == vpn,
Ldap-Group == vpn
Fall-Through = no
DEFAULT Huntgroup-Name == sslvpn,
Ldap-Group == sslvpn
Fall-Through = no
DEFAULT Auth-Type :=
Reject
This allows to specify which user
has access to which nasgroup by adding groupmemberships to the user. But it
breaks the users existing in SQL.
I could off course also add the
specific SQL-Groups into the users file but this would still require a
reorganisation of the SQL users since they only have a Huntgroup-Name
attribtue for there grouplevel which specifies multiple huntgroups by using
regexp.
I’m kinda stuck in how to
implement it. Any advice would be greatly
appreciated.
J.
|