Reply-Items in Ldap-Group [SEC=UNCLASSIFIED]

Ranner, Frank MR Frank.Ranner at defence.gov.au
Mon Mar 3 03:27:13 CET 2008 

UNCLASSIFIED



> -----Original Message-----
> From: 
> freeradius-users-bounces+frank.ranner=defence.gov.au at lists.fre
eradius.org [mailto:freeradius-users->
bounces+frank.ranner=defence.gov.au at lists.freeradius.org] On 
> Behalf Of Giovanni Lovato
> Sent: Saturday, 1 March 2008 11:23
> To: FreeRadius users mailing list
> Subject: Reply-Items in Ldap-Group
> 
> I wish to assign various Reply-Items to a group defined in LDAP, and 
> then configuring FreeRADIUS to fetch those Reply-Items whenever a user

> belonging to that group authenticates. Is that possible?
> 
> Thank you!
> 

You can use an indirect method:

In users you can specify:

DEFAULT Ldap-Group == "netops",
User-Profile:='cn=netops,ou=profiles,dc=example'

In ldap:

dn: cn=netops,ou=Profiles,dc=example
objectClass: radiusprofile
objectClass: applicationProcess
objectClass: top
cn: netops
description: Profile for all devices for netops users
radiusReplyItem: Passport-Customer-Identifier = 0
radiusReplyItem: Passport-Command-Scope = network
radiusReplyItem: Passport-Allowed-Access = telnet
radiusReplyItem: Passport-Allowed-Access += ftp
radiusReplyItem: Passport-Allowed-Access += fmip
radiusReplyItem: Passport-Allowed-Access += local
radiusReplyItem: Passport-Login-Directory = /
radiusReplyItem: Passport-Timeout-Protocol = enabled
radiusReplyItem: Passport-AllowedOut-Access = telnet
radiusReplyItem: Reply-Message := "Hello Network Administrator."
radiusReplyItem: Passport-Command-Impact = configuration
radiusReplyItem: Access-Level = RW
radiusServiceType: Administrative-User


Of course, the group record itself can be the profile. In my case,
groups are defined using the radiusgroupname attibute in the users
record. If you are using groupofnames then you could do :

DEFAULT Ldap-Group == "netops",
User-Profile:='cn=netops,ou=groups,dc=example'

Regards,

Frank Ranner
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: EXTNDATT.TXT
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080303/0efcc8ad/attachment.ksh>

More information about the Freeradius-Users mailing list