<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns="http://www.w3.org/TR/REC-html40" xmlns:o =
"urn:schemas-microsoft-com:office:office" xmlns:w =
"urn:schemas-microsoft-com:office:word"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1476" name=GENERATOR>
<STYLE>@page Section1 {size: 595.3pt 841.9pt; margin: 70.85pt 70.85pt 70.85pt 70.85pt; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.E-mailStijl17 {
COLOR: windowtext; FONT-FAMILY: Arial; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
</STYLE>
</HEAD>
<BODY lang=NL vLink=purple link=blue>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2>I have been experimenting with something like this and
found you can (mis)use the hints file to do something like
this:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2>DEFAULT<BR> Hint
=
`%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}}`<BR></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2>If you want you can use Huntgroup-Name insttead of hint. in
that case, you should add a default, otherwise Huntgroup-Name
</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2>gets set to "".</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2>DEFAULT</FONT></SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>
Huntgroup-Name =
`%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNumber=%{NAS-IP-Address}:-None}`</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>In this case, Huntgroup-Name
gets set to None if it isn't found in ldap.</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>Some
caveats:</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>The huntgroup file will not
be processed if Huntgroup-Name exists already. Since hints is processed before
huntgroups that will be the </SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006>case.</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>Hints does not implement
fallthrough - you get one match only. If you want to process usernames too,
instantiate another instance.</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>Another approach I have used
is similar to your solution. i used rules in users like
this:</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>DEFAULT Ldap-Group ==
`%{Huntgroup-Name}`<BR> Access-Level
:= RW,<BR> Service-Type =
Administrative-User,<BR> Cisco-AVPair
:= "shell:priv-lvl=15",<BR>
Passport-Command-Impact = configuration</SPAN></FONT></SPAN></DIV>
<DIV> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>The huntgroups are defined
in the huntgroups file, or could be defined as above; users are put into groups
corresponding to the huntgroup names.</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>You can also generate pseudo
groups like this:</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>DEFAULT Ldap-Group ==
`%{Huntgroup-Name}_RO`<BR>
Access-Level := RO,<BR> Service-Type =
Nas-Prompt-User<BR></SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>So a user in radius group
sydney_RO gets Readonly access to devices in huntgroup
sydney</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>For this to work you need to
apply a patch I submitted in the list some time ago, otherwise the substitution
works only once. </SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006>regards</SPAN></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN class=156345401-17102006>Frank
Ranner</DIV></SPAN></FONT></SPAN>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=156345401-17102006><FONT face=Arial
color=#0000ff size=2><SPAN
class=156345401-17102006></SPAN></FONT></SPAN> </DIV>
<DIV dir=ltr align=left>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr align=left><FONT face=Tahoma size=2><B>From:</B>
freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au@lists.freeradius.org]
<B>On Behalf Of </B>Jonathan De Graeve<BR><B>Sent:</B> Tuesday, 17 October 2006
01:18<BR><B>To:</B> freeradius-users@lists.freeradius.org<BR><B>Subject:</B>
Huntgroupname checkitem in LDAP<BR></FONT><BR></DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=Section1>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">Hello, i’m looking for a way to
have my huntgroups defined in LDAP similar to the way they are in
SQL.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">For example if a user belongs to
Ldap-Group vpn, the Group in ldap contains an attribute containing the
huntgroup names which the Group gives access to.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I tried adding ‘checkItem
Huntgroup-Name’ info to my ldap.attrmap with attribute ‘info’ having value:
‘=~ ^(vpn|sslvpn)$’ (without succes) <o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I had success with the following
setup:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">In
users:<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">DEFAULT Huntgroup-Name == vpn,
Ldap-Group == vpn<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">
Fall-Through = no<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">DEFAULT Huntgroup-Name == sslvpn,
Ldap-Group == sslvpn<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">
Fall-Through = no<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">DEFAULT Auth-Type :=
Reject<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">This allows to specify which user
has access to which nasgroup by adding groupmemberships to the user. But it
breaks the users existing in SQL.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I could off course also add the
specific SQL-Groups into the users file but this would still require a
reorganisation of the SQL users since they only have a Huntgroup-Name
attribtue for there grouplevel which specifies multiple huntgroups by using
regexp.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">I’m kinda stuck in how to
implement it. Any advice would be greatly
appreciated.<o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><o:p> </o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Arial">J.<o:p></o:p></SPAN></FONT></P></DIV></BLOCKQUOTE></BODY></HTML>