Best way to do LDAP user and group restrictions?

Peter Lambrechtsen plambrechtsen at gmail.com
Fri Nov 6 21:14:48 CET 2009


Due to no responses from my email a few days ago I will assume that  
using the postauth_users is the best way to get grainular ldap user +  
group to login to a restricted number of nas servers.

Will look to update the FR wiki with all my findings in detail.

Unless someone has a better suggestion on how to do this ;)

Thanks

Peter

On 1/11/2009, at 9:14 PM, Peter Lambrechtsen <plambrechtsen at gmail.com>  
wrote:

> I have configured FR 2.1.7 successfully and just wanted to confirm  
> this is the best way to achieve what I am wanting to do.
>
> I have large number nas elements scattered throughout the network  
> that we are trying to centralise on a pair of redundant FR servers.   
> The authentication will be based on users out of LDAP, and I would  
> also like to have the authorzation based on LDAP groups, so I can  
> add a user into a group in LDAP and they will then have access to  
> login to the NAS device.
>
> As part of this we need to restrict certain nas types to a certain  
> group of people, and return additional items as part of the Access- 
> Accept such as "Service-Type = "Login-User" or Cisco-avpair =  
> "shell:priv-lvl=15" and such like.
>
> In LDAP I have the following group and OU structure for NAS systems,  
> and potentially there are any number of different responses  
> depending on their access level per system, and thus I plan to add  
> different users into the relevant group.
>
> cn=ResponseValue,ou=NAS,ou=Radius,o=Org  ie:
>
> cn=Login-User,ou=SystemA,ou=Radius,o=Org
> cn=Login-Admin,ou=SystemA,ou=Radius,o=Org
> cn=Level1,ou=SystemB,ou=Radius,o=Org
> cn=Level7,ou=SystemB,ou=Radius,o=Org
> cn=Level15,ou=SystemB,ou=Radius,o=Org
>
> The only way I have got this to effectivly work is as follows:
>
> in the sites-enabled/default I have:
>
> authorize {
>         ldap
> }
> authenticate {
>         Auth-Type LDAP {
>                 ldap
>         }
> post-auth {
>         files
> }
>
> Then after I have modified the modules/files and added  
> "postauth_usersfile = ${confdir}/postauth_users"
>
> I also add in all the same devices in the same nas group into the  
> huntgroups file such as:
>
> SystemA         NAS-IP-Address == 192.168.1.1
>
> In the postauth_users file I need to put the logic to say if you are  
> a member of this LDAP Group, and coming from this Hostgroup NAS  
> server, then Access-Accept & include the correct reply.
>
> DEFAULT Huntgroup-Name == SystemA, Ldap-Group == "cn=Login- 
> User,ou=SystemA,ou=Radius,o=Org", Auth-Type := Accept
>         Service-Type = "Login-User"
> DEFAULT Huntgroup-Name == SystemA, Ldap-Group == "cn=Login- 
> Admin,ou=SystemA,ou=Radius,o=Org", Auth-Type := Accept
>         Service-Type = "Login-Admin"
> DEFAULT Huntgroup-Name == SystemB, Ldap-Group ==  
> "cn=Level1,ou=SystemB,ou=Radius,o=Org", Auth-Type := Accept
>         Cisco-avpair = "shell:priv-lvl=1"
> and so on.
>
> Is there an easier way to have grainular system access controls  
> based on group memberships out of ldap?  As it's a pain to have one  
> to one matchup from ldap groups, to the postauth_users.
>
> Thanks
>
> Peter



More information about the Freeradius-Users mailing list