[sec: unclas] Huntgroupname checkitem in LDAP

Jonathan De Graeve Jonathan.De.Graeve at imelda.be
Tue Oct 17 11:59:26 CEST 2006 

> Van: freeradius-users-
> bounces+jonathan.de.graeve=imelda.be at lists.freeradius.org
> [mailto:freeradius-users-
> bounces+jonathan.de.graeve=imelda.be at lists.freeradius.org] Namens
Ranner,
> Frank MR
> Verzonden: dinsdag 17 oktober 2006 4:17
> Aan: FreeRadius users mailing list
> Onderwerp: RE: [sec: unclas] Huntgroupname checkitem in LDAP
> 
> 
> DEFAULT Ldap-Group == `%{Huntgroup-Name}`
>         Access-Level := RW,
>         Service-Type = Administrative-User,
>         Cisco-AVPair := "shell:priv-lvl=15",
>         Passport-Command-Impact = configuration
> 

Although this approach Works if you just want to add attributes for a
certain huntgroup if a user is member of it.

My problem is, I have 2 user databases, one being SQL the other being
LDAP/AD

I want to be able to specify to which NASses the LDAP/AD user has access
too.

If it were only LDAP/AD users, everything would work like this:

DEFAULT	Ldap-Group == `%{Huntgroup-Name}`
		Fall-Through = no

DEFAULT	Auth-Type := REJECT

In this way, every user that is not a member of a specific Group that
matches a Huntgroup name is denied access.

But I still have the SQL users and the above rules breaks them.

So I changed it to this:

DEFAULT	SQL-Group == `%{Huntgroup-Name}`
		Fall-Through = no

DEFAULT	Ldap-Group == `%{Huntgroup-Name}`
		Fall-Through = no

DEFAULT	Auth-Type := REJECT

In this way, I need to change my SQL users setup from instead having the
Huntgroup-Name in SQL as a checkitem (radgroupcheck) to add every SQL
user to a SQL-group having the same name as the huntgroup.

This behaviour works but is not really desirable.

After searching and experimenting the trick to NOT break EAP/LDAP/SQL
but still having everything working like I wanted it to be was just as
follows:

DEFAULT	Ldap-Group == `%{Huntgroup-Name}`
		Fall-Through = no

DEFAULT	Auth-Type = LOCAL
		Fall-Through = Yes

This configuration allows for the default SQL behaviour to stay the
same, having EAP AND locking Ldap users to the NASes controlled by there
groupmembership. Since I spent a long time figuring this out I wanted to
share this to the list.

My current setup has SQL users + Complete Active Directory integration
(having EAP=>NTLM) + LDAP(PAP/etc...)

Kind Regards,

J.

More information about the Freeradius-Users mailing list