NAS-restricted users
brent s.
bts at square-r00t.net
Wed May 9 20:42:50 CEST 2018
Thanks, Alan! Responses inline.
On 05/09/2018 12:28 PM, Alan DeKok wrote:
>>
>> 1.) What would be the most appropriate attribute for this in LDAP?
>> Accounts currently have the following objectClasses: account,
>> extensibleObject, radiusprofile, simpleSecurityObject, top.
>
> The best way is to put the users into an LDAP group, and then do LDAP group checking.
Ah, okay. This makes sense.
>
>> 2.) Can I even use the ${shortname} macro in a
>> raddb/mods-available/ldap:ldap{user{filter=}} context? I would *assume*
>> so since the NAS handling is done before the authentication handling,
>> but assumptions are a bad thing to operate off of. The unlang
>> documentation indicates I can't use unlang in this context, which is
>> fine since I can just incorporate it into the LDAP filter, but I'm
>> having some difficulty finding which macros are available where.
>
> The ${...} macros are expanded when the configuration file is read. And are static after that.
>
Oops, sorry - I meant the %{...} dynamic string expansions. In other
words, based on the above it would seem I can do this (pardon the
linebreaking):
:raddb/mods-available/ldap
...
ldap {
...
user {
...
# ignore the linebreak; mail client is wrapping
filter=(&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(memberOf=ou=%{NAS-Identifier},ou=Groups,dc=domain,dc=tld))
...
}
...
}
...
correct?
>> 3.) Is there a better way to do this (preferably without duplicating NAS
>> entries)? Ideally without using huntgroups or the like, which is how I
>> usually see this sort of functionality achieved.
>
> LDAP groups are by far and away the best solution.
>
Looks like groups would need to be the way to go, yeah.
The above, if correct, would also work with dynamic-clients as well, yes?
--
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180509/a69b3446/attachment.sig>
More information about the Freeradius-Users
mailing list