I added 3 groups called tier1,2 and 3 like cn=tier3,ou=People,dc=somedomain,dc=com and added a user to that group. That user is not able to log on. Here is the output. Note the "member=" and "uniquemember=". Ldap-UserDn values are null???
[ldap] performing search in ou=People,dc=somedomain,dc=com, with filter (&(cn=tier3)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
request done: ld 0x91aff80 msgid 3
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group tier3 not found or user is not a member.
[ldap] Entering ldap_groupcmp()
[files] expand: ou=People,dc=somedomain,dc=com -> ou=People,dc=somedomain,dc=com
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=somedomain,dc=com, with filter (&(cn=tier2)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
request done: ld 0x91aff80 msgid 4
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group tier2 not found or user is not a member.
[ldap] Entering ldap_groupcmp()
[files] expand: ou=People,dc=somedomain,dc=com -> ou=People,dc=somedomain,dc=com
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in ou=People,dc=somedomain,dc=com, with filter (&(cn=tier1)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
request done: ld 0x91aff80 msgid 5
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group tier1 not found or user is not a member.
On Thu, Jul 29, 2010 at 12:00 PM, Natr Brazell
<natrbrazell@gmail.com> wrote:
Ooh! I'll try the LDAP-Group. wrt the Juniper-Local-User-Name VSA:
Once authenticated against LDAP the user is mapped to the NAS device where there is a username called tier3 (or whatever you called it. Could be superduck). That username is matched against a class which defines a specific set of available commands. The default classes on a juniper router and switch (out of the box) are tier1 (read-only), tier2 (show and some configure commands) and tier3 (or superuser). The audits on both the NAS and in the radius radacct log show the User-Name value as the LDAP uid. When a user types a command such as 'edit' the NAS returns a Juniper-Interactive-Command value = 'edit'. In this way we have a full record of every command each user types on any Juniper device in our accounting logs. Doing this provides very granular control over what users have what permisisons and provides a mechanism for tracking, troubleshooting and accountability.
Thanks Alan,
N
On Thu, Jul 29, 2010 at 11:35 AM, Alan DeKok
<aland@deployingradius.com> wrote:
Natr Brazell wrote:
> I am looking for information on grouping users into profiles/groups.
> I've searched around the FAQ's and docs but not finding a clear
> picture. I've found how to associate a user with a group of NAS's.
See "man rlm_passwd" It can be used to create arbitrary groups,
including groups of users.
> Here's the scenario. There is a specfic VSA from Juniper called
> Juniper-Local-User-Name. This gets mapped to a locally defined profile
> on the NAS. In the users file I have the following:
>
> bob.smith Juniper-Local-User-Name = "tier3",
What does that do?
> So to the point, rather than defining each user with the same parameters
> every time, can I create a group, for instance TIER3, and associate
> User-Name's above to the group. And if so how or point me to some
> specific examples.
>
> I am using LDAP also so if there is an LDAP solution same question. Howto?
Put the users into an LDAP group, and use LDAP-Group checking:
DEFAULT LDAP-Group == "tier2"
Juniper-Deny-Commands "(show system alarms)|(show system software)"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html