On May 9, 2018, at 12:07 PM, brent s. <bts@square-r00t.net> wrote:
I've been reading the docs and previous mailing posts, but I'm still a little unclear on some things and wanted to run something by the list first for a sanity check/to see if there's a better way of doing this.
I store NASes in MySQL and user accounts in LDAP (if necessary, this can be changed to store NASes in LDAP as well). I want to only allow users to authenticate if they're coming from a specific NAS associated with their account.
1.) What would be the most appropriate attribute for this in LDAP? Accounts currently have the following objectClasses: account, extensibleObject, radiusprofile, simpleSecurityObject, top.
The best way is to put the users into an LDAP group, and then do LDAP group checking.
2.) Can I even use the ${shortname} macro in a raddb/mods-available/ldap:ldap{user{filter=}} context? I would *assume* so since the NAS handling is done before the authentication handling, but assumptions are a bad thing to operate off of. The unlang documentation indicates I can't use unlang in this context, which is fine since I can just incorporate it into the LDAP filter, but I'm having some difficulty finding which macros are available where.
The ${...} macros are expanded when the configuration file is read. And are static after that.
3.) Is there a better way to do this (preferably without duplicating NAS entries)? Ideally without using huntgroups or the like, which is how I usually see this sort of functionality achieved.
LDAP groups are by far and away the best solution. Alan DeKok.