Alan DeKok wrote:
On Aug 28, 2015, at 8:02 AM, Mart Pirita <mart@e-positive.ee> wrote:
But main idea is that ldap just does the authentication yes/no and that's it, nothing more. So... LDAP is an authentication server?
Everything else (who can access and with what rights) is in the radius config only. Is this possible? And RADIUS contains that database of user rights?
You can do that, but it's a bit backwards from the normal process.
Same question, how to do it without ldap groups? You write down what you want, then implement it in unlang. For RADIUS groups, see "man rlm_passwd".
Thanks Alan. I did look the unlang and rim_passwd manpages, and still have questions: 1) As radius in acting proxy for ldap, then authentication is done by ldap, so rim_password is not used for that. You suggested, that rim_password should be used for groups, so I will set up files and list there: a) List 1, users who can access 1-100 switches b) List 2, switches which users from list 1 can access ro c) Lisa 3, switches which users from list 1 can access rw 2) Or can I use unlang to read users, switches from external file? 3) Have You seen any similar unlang config example based my needs? I did search, found none:( It's hard to start form the scratch. -- Mart