[sec: unclas] Huntgroupname checkitem in LDAP
Ranner, Frank MR
Frank.Ranner at defence.gov.au
Tue Oct 17 04:16:36 CEST 2006
I have been experimenting with something like this and found you can
(mis)use the hints file to do something like this:
DEFAULT
Hint =
`%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNu
mber=%{NAS-IP-Address}}`
If you want you can use Huntgroup-Name insttead of hint. in that case,
you should add a default, otherwise Huntgroup-Name
gets set to "".
DEFAULT
Huntgroup-Name =
`%{ldap:ldap:///ou=hosts,dc=demo,dc=org?radiusHuntgroupName?one?ipHostNu
mber=%{NAS-IP-Address}:-None}`
In this case, Huntgroup-Name gets set to None if it isn't found in ldap.
Some caveats:
The huntgroup file will not be processed if Huntgroup-Name exists
already. Since hints is processed before huntgroups that will be the
case.
Hints does not implement fallthrough - you get one match only. If you
want to process usernames too, instantiate another instance.
Another approach I have used is similar to your solution. i used rules
in users like this:
DEFAULT Ldap-Group == `%{Huntgroup-Name}`
Access-Level := RW,
Service-Type = Administrative-User,
Cisco-AVPair := "shell:priv-lvl=15",
Passport-Command-Impact = configuration
The huntgroups are defined in the huntgroups file, or could be defined
as above; users are put into groups corresponding to the huntgroup
names.
You can also generate pseudo groups like this:
DEFAULT Ldap-Group == `%{Huntgroup-Name}_RO`
Access-Level := RO,
Service-Type = Nas-Prompt-User
So a user in radius group sydney_RO gets Readonly access to devices in
huntgroup sydney
For this to work you need to apply a patch I submitted in the list some
time ago, otherwise the substitution works only once.
regards
Frank Ranner
________________________________
From:
freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freeradius.or
g
[mailto:freeradius-users-bounces+frank.ranner=defence.gov.au at lists.freer
adius.org] On Behalf Of Jonathan De Graeve
Sent: Tuesday, 17 October 2006 01:18
To: freeradius-users at lists.freeradius.org
Subject: Huntgroupname checkitem in LDAP
Hello, i'm looking for a way to have my huntgroups defined in
LDAP similar to the way they are in SQL.
For example if a user belongs to Ldap-Group vpn, the Group in
ldap contains an attribute containing the huntgroup names which the
Group gives access to.
I tried adding 'checkItem Huntgroup-Name' info to my
ldap.attrmap with attribute 'info' having value: '=~ ^(vpn|sslvpn)$'
(without succes)
I had success with the following setup:
In users:
DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn
Fall-Through = no
DEFAULT Huntgroup-Name == sslvpn, Ldap-Group == sslvpn
Fall-Through = no
DEFAULT Auth-Type := Reject
This allows to specify which user has access to which nasgroup
by adding groupmemberships to the user. But it breaks the users existing
in SQL.
I could off course also add the specific SQL-Groups into the
users file but this would still require a reorganisation of the SQL
users since they only have a Huntgroup-Name attribtue for there
grouplevel which specifies multiple huntgroups by using regexp.
I'm kinda stuck in how to implement it. Any advice would be
greatly appreciated.
J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061017/0114fbc4/attachment.html>
More information about the Freeradius-Users
mailing list