Problem with LDAP and Groups

Bryan Evege bryan at bevege.com
Wed Oct 17 01:07:15 CEST 2007


 

________________________________

Message: 3
Date: Thu, 11 Oct 2007 23:23:45 +0100
From: <tnt at kalik.co.yu>
Subject: Re: Problem with LDAP and Groups
To: "FreeRadius users mailing list"
        <freeradius-users at lists.freeradius.org>
Message-ID: <oQaIjLrO.1192141425.2493270.tnt at kalik.co.yu>
Content-Type: text/plain; charset=ISO-8859-2

Read instructions in huntgroups file. Group devices in huntgroups:

cisco   NAS-IP-Address == a.b.c.d
cisco   NAS-IP-Address == a.b.c.e
etc.

linux   NAS-IP-Address == z.y.x.w
linux   NAS-IP-Address == z.y.x.v
etc.

Add Huntgroup-Name to the DEFAULT entries:

DEFAULT Huntgroup-Name == "cisco", Ldap-Group == "cisco_priv_15",
User-Profile :=
"uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net"

You can leave out Auth-Type. These attributes will then be passed only
when user logs in from a device in cisco huntgroup. For other entries
Ldap group might match but huntgroup will not.

Things get complicated if roles and devices overlap and you have two or
more entries where both the group and hungroup will match. For instance,
you wanted the same user in priv level 1 and 15 groups. You then have to
add another level of distincion, like a realm/sufix/prefix.

Ivan Kalik
Kalik Informatika ISP


Dana 11/10/2007, "Bryan Evege" <bryan at bevege.com> pi?e:

>Message: 6
>> Date: Thu, 11 Oct 2007 21:13:21 +0100
>> From: <tnt at kalik.co.yu>
>> Subject: Re: Problem with LDAP and Groups
>> To: "FreeRadius users mailing list"
>>      <freeradius-users at lists.freeradius.org>
>> Message-ID: <bS0cz6Hw.1192133601.8730890.tnt at kalik.co.yu>
>> Content-Type: text/plain; charset=ISO-8859-2
>>
>>
>>> If I change the fall through to yes it still matches as many groups as the user is in. How can I tell freeradius which attributes to send back?
>>>
>>
>> If you want to send sets of attributes according to the NAS user is
>> trying to log into use huntgroups.
>>
>>
>>> For example, bevege is a member of the following groups, packetshapper, cisco_priv_15, cisco_priv_1, linux.
>>>
>>
>> Your group allocation is wrong. You can't have the same user(name) on
>> the same device having priv levels 1 and 15. Pick one. Or have him log
>> in as username at 1 and username at 15 and use realms to allocate correct set
>> of attributes.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>Could you please explain a bit more. From what I understand you cannot
>use Huntgroups to lookup what group a user is in. I only uses /etc/group
>/etc/password. What I would like to do is this. User bevege logs in from
>Cisco router. Have the users file somehow detect that the request has
>come from a cisco router (by IP I would guess) then validate that the
>user is in the correct group and then pass back the specific attributes
>just for the cisco. Same thing for packetshapper etc.
>
>Thanks,
>
>Bryan
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

Ok, this is driving me insane.  I tried the way you suggested but here's the problem.  User A is in the packeteer group, user B is in the packeteer_read_only group.  Using the Huntgroup and users file below only allows user A (packeteer) to logon.  User B doesn't work at all.  If I reverse the order of the huntgroup file (packeteer_read_only first) then only user B can logon.  This makes sense because which ever one is first in the huntgroups file matches and freeradius doesn't look any further.  Isn't there a more detailed way to search the huntgroup?  Or maybe I need to do better matching of the ldap group? I really need to get this working ASAP.
 
Just a little background.  We have about 10-15 users and about 20 devices of varying types.  Some users (network operations) need read only access and some departments (network engineering) need full access to just about everything.    Using NAS based huntgroups doesn't seem to work because only one group type can login, ie the first to match.  Using just group based lookups doesn't work either unless the user is only a member of only one group, again the first one to match, which defeats the whole purpose of groups.  
 
I need to figure out a way to have user A in the packeteer group and user B in packeteer_read_only group and be able to have them both login to multiple devices with the appropriate access defined in LDAP.  How on earth are companies with lots of devices and lots of different user access levels doing this?  It can't be that hard.  Any help would be greatly appreciated, I'm getting pressure to get this going ASAP.

Huntgroups file

packeteer                      NAS-IP-Address == 10.17.69.12

packeteer_read_only  NAS-IP-Address == 10.17.69.12

Users file

162 DEFAULT Huntgroup-Name == "packeteer",Ldap-Group == Packeteer,User-Profile := "uid=packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
163         Fall-Through = no

 165 DEFAULT Huntgroup-Name == "packeteer_read_only",Ldap-Group == packeteer_read_only,User-Profile := "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP 

166 Fall-Through = no




-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 8286 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071016/5dd41664/attachment.bin>


More information about the Freeradius-Users mailing list