On Jun 24, 2017, at 5:53 PM, Darrain Waters <dwaters@bioteam.net> wrote:
I need to map ldap authenticated (389directory) users to juniper nas local accounts that all have different access rights. I clearly run the ldap module, and do a group search to verify a user can access based on group. Is it possible to take the group the ldap module finds and map it to a same named account on the juniper was ?
I'm not really sure what that means...
I want to avoid using the remote user id on the juniper nas with the access class that I assign, and instead use the different accounts on the juniper nas which are different access levels:
user-ro user-op user-su
Could you describe what you want to do using examples... i.e. what a user types when they login to the Juniper box, what's in the Access-Request, and what you want to be in the Access-Accept. i.e. In order to configure it, you need to know what you want it to do. Once your requirements are written down, the solutions are usually pretty straightforward.
I have not messed with the git pulled 3.0.14 config files other than ldap, clients.conf and users file. See radiusd -X below for run info. In my users file I have:
DEFAULT LDAP-Group == "admins", Auth-Type := Accept
That lets users log in without doing password checks. This is likely not what you want.
Junipers instructions are as follow, which I have tried:
Do those instructions work? If so, make small modifications to change them to do what you want. Alan DeKok.