Restrict access to certain groups
kevin leblanc
kevinzebeste at gmail.com
Mon Feb 16 13:45:42 CET 2009
On Tue, Feb 10, 2009 at 1:54 PM, kevin leblanc <kevinzebeste at gmail.com>wrote:
> To remember : I want only user1 can access to host1.
>
> To illustrate it:
> root
> |
> ------------------
> | |
> hosts users
> | |
> -------- ----------
> | | |
> host1 user1 user2
> |
> | members:
> |
> user1
>
>
> I find a possible way.
>
> in radiusd.conf, I put:
> groupname_attribute = "cn"
> group_membership_filter =
> (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
>
> In the users file, I put:
> Ldap-Group == "XXXXX" Auth-Type:= LDAP
>
> XXXXX will be the IP/hostname of the host which try to connect.
>
> Is there any variable like %{LDAP-UserDN} which could give me this
> information ??
>
> thanks for any help
>
>
> --
> KeV
>
I found the variable %{Client-IP-Address} which gives me host's ip.
But is there any way to get the hostname instead of the ip ?
By hostname, I mean the real hostname, not this defined in clients.conf with
the attribute shortname.
Other question, I don't want to store the identity/password attributes in
radiusd.conf for security reasons.
I tried with the line below in the users file, but that doesn't work :
DEFAULT Ldap-UserDN := `uid=%{User-Name},ou=people,dc=company,dc=com`
Any idea ?
Thanks
--
KeV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090216/66982aa2/attachment.html>
More information about the Freeradius-Users
mailing list