On 18 Dec 2014, at 18:16, Coy Hile <coy.hile@coyhile.com> wrote:
Hi all,
I admit this is quite a complicated first question, but I'm setting up FR in a lab to try to replace an existing production deployment of a commercial alternative. Currently, we can permission a user for access to some network device via the following tuples (in order of less specificity): (user, device) (user, group of devices), (group of users, device) (group of users, group of devices). So we say, effectively in pseudocode:
For authorization: Check if a user with uid=%{User-Name} exists and return the user's group
if exists(acl(user, device)) { based on the assigned access profile, query LDAP for the approopriate VSAs } else if exists(acl(user, group of devices)) { based on the assigned access profile, query LDAP for the approopriate VSAs } else if exists(acl(usergroup, device)) { .... } else if exists(acl(usergroup,group of devices)) { .... } else return reject
For authentication: Kerberos
The authentication part is trivial, as is the first check under authorization; the existing documentation explains how to do that sort of check. I can see from the unlang manpage how to call out to one or the other modules. Is what I'm trying to do something one can do with rlm_ldap, or is it something that would be better done with rlm_python. (Yes, LDAP in python sucks rocks through straws, so I'm trying to avoid that if possible.
It's not clear what you mean by device. Do you mean infrastructure devices, as in restricting a user so they can only log in from specific locations, or devices as in laptops, phones, workstations? Were the ACLs represented in LDAP by the previous vendor or is LDAP a new requirement? If there's an existing schema please provide it, then i'll be able to tell you if it's possible with the current rlm_ldap module in v3.0.x. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2