LDAP - dynamic membership checking
Hello I'am stuck while testing with LDAP an Radius. I'am get Radius to work with user authorisation against LDAP and authentication against kerberos. Even if i set a "simple" membership checking in ./modules/ldap it works fine. My problem is, I have several NAS (Some APs, Switches, VPN-Servers). Depending on the NAS another group-Membership should be checked . For example a user with memberships in "wireless" and "office-vpn" should get access if the request comes from the APs or a specific VPN-Server. Can someone give me a hint, how to setup such a szenario? greetings Raptor 2101
On 31.12.2011 10:56, Christian Kölpin wrote:
I'am stuck while testing with LDAP an Radius. I'am get Radius to work with user authorisation against LDAP and authentication against kerberos. Even if i set a "simple" membership checking in ./modules/ldap it works fine.
My problem is, I have several NAS (Some APs, Switches, VPN-Servers). Depending on the NAS another group-Membership should be checked . For example a user with memberships in "wireless" and "office-vpn" should get access if the request comes from the APs or a specific VPN-Server.
Can someone give me a hint, how to setup such a szenario?
my solution users: DEFAULT Huntgroup-Name == "switches", Ldap-Group == "coolguys" Tunnel-Type = VLAN, Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-ID = "1337" huntgroups: # Switch XY all NAS-IP-Address == X.Y.Z.131, NAS-Port >= 1,NAS-Port <= 30 coolguys NAS-IP-Address == X.Y.Z.131, NAS-Port >= 31,NAS-Port <= 40 -- Jens Weibler IT-Services Hochschule Darmstadt www.h-da.de University of Applied Sciences Fachbereich Informatik www.fbi.h-da.de Schöfferstr. 8b D-64295 Darmstadt Tel +49 6151 16-8425 Fax +49 6151 16-8935 jens.weibler@h-da.de
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 31.12.2011 16:35, schrieb Jens Weibler:
my solution
users: DEFAULT Huntgroup-Name == "switches", Ldap-Group == "coolguys" Tunnel-Type = VLAN, Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-ID = "1337"
huntgroups: # Switch XY all NAS-IP-Address == X.Y.Z.131, NAS-Port >= 1,NAS-Port <= 30 coolguys NAS-IP-Address == X.Y.Z.131, NAS-Port >= 31,NAS-Port <= 40 you point me in the right direction. My problem was, that the LDAP-Module was instanced after the files module (those wo process the users file) SO the checking never take place. I changed the ordering of the module and all works fine :)
I modified your solution a little bit so i have a "deny"-logic. huntgroups: access-points = NAS-IP-Address == X.Y.Z1.1, NAS-Port = 0 access-points = NAS-IP-Address == X.Y.Z2.1, NAS-Port = 0 access-points = NAS-IP-Address == X.Y.Z3.1, NAS-Port = 0 users: DEFAULT Huntgroup-Name == "access-points", Ldap-Group != "Wireless", Auth-Type := Reject -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8AZJwACgkQWaFOsSkiiV+YtQCgiHAEXHrN4btnbnpFmMpByS3z YdwAoJaiy1fEfToJN/ruWDZJTbpTDqBF =mXBM -----END PGP SIGNATURE-----
participants (2)
-
Christian Kölpin -
Jens Weibler