RE: [sec: unclas] Huntgroupname checkitem in LDAP
Van: freeradius-users- bounces+jonathan.de.graeve=imelda.be@lists.freeradius.org [mailto:freeradius-users- bounces+jonathan.de.graeve=imelda.be@lists.freeradius.org] Namens Ranner, Frank MR Verzonden: dinsdag 17 oktober 2006 4:17 Aan: FreeRadius users mailing list Onderwerp: RE: [sec: unclas] Huntgroupname checkitem in LDAP
DEFAULT Ldap-Group == `%{Huntgroup-Name}` Access-Level := RW, Service-Type = Administrative-User, Cisco-AVPair := "shell:priv-lvl=15", Passport-Command-Impact = configuration
Although this approach Works if you just want to add attributes for a certain huntgroup if a user is member of it. My problem is, I have 2 user databases, one being SQL the other being LDAP/AD I want to be able to specify to which NASses the LDAP/AD user has access too. If it were only LDAP/AD users, everything would work like this: DEFAULT Ldap-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Auth-Type := REJECT In this way, every user that is not a member of a specific Group that matches a Huntgroup name is denied access. But I still have the SQL users and the above rules breaks them. So I changed it to this: DEFAULT SQL-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Ldap-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Auth-Type := REJECT In this way, I need to change my SQL users setup from instead having the Huntgroup-Name in SQL as a checkitem (radgroupcheck) to add every SQL user to a SQL-group having the same name as the huntgroup. This behaviour works but is not really desirable. After searching and experimenting the trick to NOT break EAP/LDAP/SQL but still having everything working like I wanted it to be was just as follows: DEFAULT Ldap-Group == `%{Huntgroup-Name}` Fall-Through = no DEFAULT Auth-Type = LOCAL Fall-Through = Yes This configuration allows for the default SQL behaviour to stay the same, having EAP AND locking Ldap users to the NASes controlled by there groupmembership. Since I spent a long time figuring this out I wanted to share this to the list. My current setup has SQL users + Complete Active Directory integration (having EAP=>NTLM) + LDAP(PAP/etc...) Kind Regards, J.
participants (1)
-
Jonathan De Graeve