Authorization
Stefan Adams
stefan at borgia.com
Tue Dec 20 00:38:50 CET 2005
Dusty,
Thanks for your fine input and the reminder on the index (I completely
forgot about that). I'll give the ldap module filter a go with the
attr_rewrite. I like keeping attributes with the user object, rather
than spreading usernames around to various other objects. With this
implementation, to me, the extra benefit is that I can just add a
radiusGroupName attribute = X to each user object.
BTW, on the attr_rewrite, can I use more advanced regex than just
................: ? It works and always will work, but it would be
more clear in the config file if I could say
"([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2})-([A-F0-9]{2}):"
or something to that effect... I couldn't get ANY regex to work
except the . Does that seem right?
Stefan
> Message: 4
> Date: Mon, 19 Dec 2005 14:52:10 -0500 (EST)
> From: Dusty Doris <freeradius at mail.doris.cc>
> Subject: Re: Freeradius-Users Digest, Vol 8, Issue 82
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <20051219143705.I21565 at mail.doris.name>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
>
> On Mon, 19 Dec 2005, Stefan Adams wrote:
>
> > Hey, guys! Thanks for the great replies!! I like what you suggested
> > better than what I've come up with in the mean time. I think what I
> > came up with will work, it just seems messy/wrong/inefficient. What
> > do you think?
> >
> > modules {
> > ldap {
> > :
> > filter =
> >
> >"(&(uid=%{Stripped-User-Name:-%{User-Name}})
> >(radiusGroupName=%{Called-Station-ID}))"
> > :
> > }
> > attr_rewrite getssid {
> > attribute = Called-Station-Id
> > searchin = packet
> > searchfor = ".................:"
> > replacewith = ""
> > ignore_case = yes
> > new_attribute = no
> > }
> > }
> >
> > authorize {
> > # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
> > preprocess
> > eap
> > getssid
> > ldap
> > }
> >
> > This cuts off the first 17 bytes and then a colon of the
> > Called-Station-ID (My AP transmits a dash separated MAC followed by a
> > colon and then the SSID). Then it uses this rewritten
> > Called-Station-ID and uses that as a filter in the LDAP search.
> > Therefore, if the SSID a user tries to connect to is not listed as an
> > attribute of the user's LDAP object, the user is denied.
> >
> > Does that make sense?
>
> That's a pretty neat idea. The benefit of that is if you had multiple
> ldap instances and wanted to implement fail-over within freeradius. To do
> it the traditional way, you would need this for fail-over with ldap-group
> checks if say you had two ldap instances.
>
> DEFAULT Called-Station-Id =~ /studentregex/, ldap1-Ldap-Group ==
> "students"
>
> DEFAULT Called-Station-Id =~ /studentregex/, ldap2-Ldap-Group ==
> "students"
>
> That is so it will check with ldap1 instance first. If that fails, then
> check ldap2.
>
> By doing it your way, you won't need to do that anymore. Instead a
> redundant block in authorize would get you what you need already since the
> radiusGroupname inside your search filter takes care of the Ldap-Group
> check.
>
> I wonder if you could use regex matches of Called-Station-ID in the
> huntgroups file. You'll have to test this out, I doubt it would work, but
> its another interesting idea. I don't know if huntgroups excepts regex
> and if it can use things like Called-Station-Id
>
> in huntgroups
>
> students Called-Station-Id =~ /studentregex/
> faculty Called-Station-Id =~ /facultyregex/
>
> Then in users file.
>
> DEFAULT Ldap-Group == %{Huntgroup-Name}
>
> Or you're way.
>
> (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusGroupName=%{Huntgroup-Name}))"
>
> See doc/configurable_failover and doc/rlm_ldap to see what I'm talking
> about with the failover. If you have a load balancer in front of that
> ldap server, you won't need to worry about it. But if you don't and you
> want to add redundancy, then its something you'll need to think about some
> day. Freeradius can do the redundancy for you w/out a load balancer or
> shared IP using configurable failover. Actually in the upcoming 1.1
> release it will also do load balancing for you in addition to failover
> inside your ldap blocks.
>
> Hope I'm not too confusing. My point is I like your idea and if its
> working for you, it doesn't sound like a bad one to me. You might want to
> try hitting it hard to see if the rewrite slows anything down, but I would
> bet it doesn't.
>
> I'd also make sure to add an eq index to radiusgroupname, since you'll be
> using that as part of your search filter.
More information about the Freeradius-Users
mailing list