Grouping similar users to profiles

Natr Brazell natrbrazell at gmail.com
Thu Jul 29 22:02:02 CEST 2010 

fixed it...  Or rather Alan fixed it. I just found it and uncommented it.
Had forgotten to uncomment group checking in the ldap module.  Apprarantly
there are defaults.

Thanks for the help.
N
On Thu, Jul 29, 2010 at 2:39 PM, Natr Brazell <natrbrazell at gmail.com> wrote:

> I added 3 groups called tier1,2 and 3 like
> cn=tier3,ou=People,dc=somedomain,dc=com and added a user to that group.
> That user is not able to log on.  Here is the output.  Note the "member="
> and "uniquemember=".  Ldap-UserDn values are null???
>
>  [ldap] performing search in ou=People,dc=somedomain,dc=com, with filter
> (&(cn=tier3)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
> request done: ld 0x91aff80 msgid 3
>   [ldap] object not found
>   [ldap] ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group tier3 not found or user is not a member.
>   [ldap] Entering ldap_groupcmp()
> [files]         expand: ou=People,dc=somedomain,dc=com ->
> ou=People,dc=somedomain,dc=com
> [files]         expand:
> (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
> ->
> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in ou=People,dc=somedomain,dc=com, with filter
> (&(cn=tier2)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
> request done: ld 0x91aff80 msgid 4
>   [ldap] object not found
>   [ldap] ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group tier2 not found or user is not a member.
>   [ldap] Entering ldap_groupcmp()
> [files]         expand: ou=People,dc=somedomain,dc=com ->
> ou=People,dc=somedomain,dc=com
> [files]         expand:
> (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
> ->
> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
>   [ldap] ldap_get_conn: Checking Id: 0
>   [ldap] ldap_get_conn: Got Id: 0
>   [ldap] performing search in ou=People,dc=somedomain,dc=com, with filter
> (&(cn=tier1)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
> request done: ld 0x91aff80 msgid 5
>   [ldap] object not found
>   [ldap] ldap_release_conn: Release Id: 0
> rlm_ldap::ldap_groupcmp: Group tier1 not found or user is not a member.
>
>   On Thu, Jul 29, 2010 at 12:00 PM, Natr Brazell <natrbrazell at gmail.com>wrote:
>
>> Ooh!  I'll try the LDAP-Group.  wrt the Juniper-Local-User-Name VSA:
>>
>> Once authenticated against LDAP the user is mapped to the NAS device where
>> there is a username called tier3 (or whatever you called it.  Could be
>> superduck).  That username is matched against a class which defines a
>> specific set of available commands.  The default classes on a juniper router
>> and switch (out of the box) are tier1 (read-only), tier2 (show and some
>> configure commands) and tier3 (or superuser).  The audits on both the NAS
>> and in the radius radacct log show the User-Name value as the LDAP uid.
>> When a user types a command such as 'edit' the NAS returns a
>> Juniper-Interactive-Command value = 'edit'.  In this way we have a full
>> record of every command each user types on any Juniper device in our
>> accounting logs.  Doing this provides very granular control over what users
>> have what permisisons and provides a mechanism for tracking, troubleshooting
>> and accountability.
>>
>> Thanks Alan,
>> N
>>
>>   On Thu, Jul 29, 2010 at 11:35 AM, Alan DeKok <aland at deployingradius.com
>> > wrote:
>>
>>> Natr Brazell wrote:
>>> > I am looking for information on grouping users into profiles/groups.
>>> > I've searched around the FAQ's and docs but not finding a clear
>>> > picture.  I've found how to associate a user with a group of NAS's.
>>>
>>>  See "man rlm_passwd"  It can be used to create arbitrary groups,
>>> including groups of users.
>>>
>>> > Here's the scenario.  There is a specfic VSA from Juniper called
>>> > Juniper-Local-User-Name.  This gets mapped to a locally defined profile
>>> > on the NAS.  In the users file I have the following:
>>> >
>>> > bob.smith   Juniper-Local-User-Name = "tier3",
>>>
>>>  What does that do?
>>>
>>> > So to the point, rather than defining each user with the same
>>> parameters
>>> > every time, can I create a group, for instance TIER3, and associate
>>> > User-Name's above to the group.  And if so how or point me to some
>>> > specific examples.
>>> >
>>> > I am using LDAP also so if there is an LDAP solution same question.
>>>  Howto?
>>>
>>>  Put the users into an LDAP group, and use LDAP-Group checking:
>>>
>>> DEFAULT   LDAP-Group == "tier2"
>>>         Juniper-Deny-Commands "(show system alarms)|(show system
>>> software)"
>>>
>>>  Alan DeKok.
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100729/82100134/attachment.html>

More information about the Freeradius-Users mailing list