LDAP Binding

Sallee, Stephen (Jake) Jake.Sallee at umhb.edu
Fri Feb 10 22:59:10 CET 2012 

If you are looking to assign users network permissions may I suggest you look into the open source enterprise NAC called PacketFence, we are using it with great success.

No use reinventing the wheel, especially when you can get a really tricked out wheel for free : )

Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221

________________________________________
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] on behalf of Alan DeKok [aland at deployingradius.com]
Sent: Friday, February 10, 2012 3:37 PM
To: FreeRadius users mailing list
Subject: Re: LDAP Binding

NdK wrote:
> Can't create "users" in AD. Just machine accounts.

  That's a local policy which can be changed.

  AD is perfectly capable of creating read-only administrator accounts.
 It's what everyone else does.

> Maybe it's possible
> to use the (or "a dedicated") *machine* account credentials?

  No.

> Reading FR docs it seems it's something to avoid whenever possible.
> Since there's an internal ldap module, I thought it could be possible to
> use it.

  Yes.

> I need to determine if/what to return in 'access-accept' when an user
> authenticates to a switch.

  See the switch documentation for what to return in an Access-Accept.
Every switch vendor has their own idea of what is "normal".

> - students (determined by *domain* membership) receive a VLAN membership
> - administrators (determined by *domain* and *group* membership) receive
> *no* VLAN memberships (so they can access all the VLANS configured for
> that switch port, as said on the wiki for HPs)
> - "regular" users receive VLAN membership for a different VLAN than
> students (preventing 'em to tamper with administration VLAN)

  That should all be straightforward.  Write a shell script which
implements those rules.  Test it.  Port the same rules to the internal
FreeRADIUS LDAP module && unlang.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list