Hi,

 

I have freeradius 2.1.12 of rhel6 which uses freeipa as an ldap backend. All is working fine.

 

The config I have setup is as follows:

 

Ldap group sys_admins = contains users who get privileges to authenticate and login radius based devices (cisco routers/switches, ucs, f5, brocade).

 

Radius config for ldap module checks group sys_admins for membership. (/etc/raddb/modules/ldap)

  groupname_attribute = cn

  groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn})))"

  groupmembership_attribute = sys_admins

 

In /etc/raddb/users I have…

 

DEFAULT Ldap-Group == "cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com"

        Auth-Type :=Accept,

        Service-Type = "NAS-Prompt-User",

        Cisco-AVPair = "shell:roles*\"admin network-admin vdc-admin\"",

        Cisco-AVPair += "shell:priv-lvl=15",

        Fall-Through = No,

        F5-LTM-User-Role = 0,

        F5-LTM-User-Info-1 = administrator,

        F5-LTM-User-Partition = common,

        F5-LTM-User-Shell = tmsh,

        Brocade-Auth-Role+= "admin",

        Brocade-AVPairs1+= "HomeLF=0",

        Brocade-AVPairs2+= "LFRoleList=admin:0-255",

        Brocade-AVPairs3+= "ChassisRole=admin"

 

 

DEFAULT Auth-Type := Reject

        Reply-Message="You do not have permission to access this device.",

        Fall-Through = Yes

 

This is all working fine.

 

My problem is that I need to have a user setup in ldap for monitoring purposes (using icinga), which should be a read only based user for the ucs and not have access to the brocade, f5 or other cisco devices.

 

I’ve tried a lot of different configs and nothing has worked. Adding a specific user definition to /etc/raddb/users with appropriate privilege levels doesn’t help as it seems to still require that the user belong to the ldap group sys_admins, which means they get access to all devices.

 

Does anyone know of a way to have multiple user definitions in /etc/raddb/users with ldap backends with differing privilege levels?

 

Could the ldap module be duplicated like the files module which allows a second users file?

 

Is it even possible? Any alternatives?

 

Thanks,

 

Les