On 31 Aug 2011, at 13:17, Jan.Weiss@t-systems.com wrote:
Thanks for the answer!
But there are several problems for me: - i have no access to ldap, new groups are not as easy to implement as in small environments - i already have more than 20 DEFAULT-entries for different huntgroup/ldap-group combinations and splitting nexus to nexus_RO and nexus_RW means adding additional 5 entries minimum I´m searching for a more scalable solution. If the next team should get access to different devices, and then the third team to a third group of devices, or other rights...
Hi,
In this thread i found a hint for my config:
http://freeradius.1045715.n5.nabble.com/huntgroups-question-td2756193.html
"The huntgroups are a bit of a hack for backwards compatibility going back almost a decade. For 2000 machines, I would suggest using rlm_passwd. See the "man rlm_passwd" page for an example of setting up groups based on User-Name. The same method can be used to set up groups based on Client-IP-Address. You then have groups controlled by a flat text file, which is pretty easy to manage."
passwd groups_local { filename = /etc/raddb/groups_local format = "~My-Device-Group:*NAS-IP-Address" hashsize = 50 ignorenislike = no allowmultiplekeys = no delimiter = ":" }
Groups_local: readonly:127.0.0.1
Groups_local is called in section "authorize" just after "preprocess".
I always got "returs notfound". If i add User-Name to the config, it´s working. But i didn´t want to check the username, i just want to add an other flag (My-Device-Group) additional to huntgroups.
Did you remember to actually define 'My-Device-Group' as an attribute? -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org RADIUS - Half the complexity of Diameter