Problem with LDAP and Groups
tnt at kalik.co.yu
tnt at kalik.co.yu
Thu Oct 11 00:01:23 CEST 2007
You can group devices in huntgroups and add Hungroup-Name to those
DEFAULT profiles.
Ivan Kalik
Kalik Informatika ISP
Dana 10/10/2007, "Bryan Evege" <bryan at bevege.com> piše:
>Hello all. First off here's what I want to accomplish in the end. Use
>LDAP as the backend to store all user information including radius
>attributes, shell info and access to specific devices in specific
>locations. For example, Johnny needs access to all linux boxes in
>Atlanta and priv-level 15 on cisco routers in Denver. Fred needs
>read/write access to all packet shappers in Denver and read only to all
>cisco devices in Atlanta and Denver. You get the picture.
>
>I've setup a test server following the document in
>/opt/freeradius/share/doc/freeradius/ldap_howto.txt without much
>difficulty. This method does a good job of allowing only certain groups
>to access certain devices without messing with the huntgroups.
>
>Here's the problem. When a user logs in and is a member of more than
>one group radius only uses the first one to match. I've included the
>users file below. For example, if the user is a member of the cisco
>group and the packeteer group only the packeteer group information gets
>passed back because it is found before the cisco group.
>
>Is there a way to say that the request is from a Cisco box so only look
>for the user in the cisco group? If the user is then found in that
>group then pass back the correct attributes from their profile. I know
>I would have to define what a "cisco box" is, probably by IP.
>
>Please let me know if this is even possible and if so provide an
>example. If it is not possible please provide some direction on how to
>go about doing this.
>
>Freeradius 1.1.7
>
>*_Users file_*
>
>DEFAULT Ldap-Group == acct_disabled, Auth-Type := Reject
> Reply-Message = "Account disabled. Please call the helpdesk."
>
>DEFAULT Ldap-Group == packeteer_read_only,User-Profile :=
>"uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net",
>Auth-Type := LDAP
> Fall-Through = no
>
>DEFAULT Ldap-Group == Packeteer,User-Profile :=
>"uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
> Fall-Through = no
>
>DEFAULT Ldap-Group == netscreen,User-Profile :=
>"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
> Fall-Through = no
>
>DEFAULT Ldap-Group == cisco_priv_15,User-Profile :=
>"uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type :=
>LDAP
> Fall-Through = no
>
>DEFAULT Ldap-Group == cisco_priv_1,User-Profile :=
>"uid=cisco_priv_1,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
> Fall-Through = no
>
>DEFAULT Ldap-Group == netscreen,User-Profile :=
>"uid=netscreen,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
>
>DEFAULT Auth-Type := Reject
> Reply-Message = "Please call the helpdesk."
>
>DEFAULT Auth-Type = System
> fall-Through = 1
>
>
>Radiusd.conf ldap section
>
> ldap {
> server = "localhost"
> identity = "cn=Manager,dc=csctus,dc=net"
> password = xxxxxxx
> basedn = "ou=users,ou=radius,dc=csctus,dc=net"
> filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> # base_filter = "(objectclass=radiusprofile)"
>
> # set this to 'yes' to use TLS encrypted connections
> # to the LDAP database by using the StartTLS extended
> # operation.
> # The StartTLS operation is supposed to be used with normal
> # ldap connections instead of using ldaps (port 689) connections
> #start_tls = yes
>
> # tls_cacertfile = /path/to/cacert.pem
> # tls_cacertdir = /path/to/ca/dir/
> # tls_certfile = /path/to/radius.crt
> # tls_keyfile = /path/to/radius.key
> # tls_randfile = /path/to/rnd
> # tls_require_cert = "demand"
>
> # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
> # profile_attribute = "radiusProfileDn"
> #default_profile =
>"uid=Packeteer,ou=profiles,ou=radius,dc=csctus,dc=net"
> #profile_attribute = "radiusProfileDn"
>
> #access_attr = "DialupAccess"
>
> # Mapping of RADIUS dictionary attributes to LDAP
> # directory attributes.
> dictionary_mapping = ${raddbdir}/ldap.attrmap
>
> ldap_connections_number = 5
> ldap_cache_timeout = 120
> ldap_cache_size = 0
> ldap_connections_number = 10
>
> #
> # NOTICE: The password_header directive is NOT case insensitive
> #
> # password_header = "{clear}"
> #
> # Set:
> # password_attribute = nspmPassword
> #
> # to get the user's password from a Novell eDirectory
> # backend. This will work *only if* freeRADIUS is
> # configured to build with --with-edir option.
> #
> #
> # The server can usually figure this out on its own, and pull
> # the correct User-Password or NT-Password from the database.
> #
> # Note that NT-Passwords MUST be stored as a 32-digit hex
> # string, and MUST start off with "0x", such as:
> #
> # 0x000102030405060708090a0b0c0d0e0f
> #
> # Without the leading "0x", NT-Passwords will not work.
> # This goes for NT-Passwords stored in SQL, too.
> #
> password_attribute = userPassword
> #
> # Un-comment the following to disable Novell eDirectory account
> # policy check and intruder detection. This will work *only if*
> # FreeRADIUS is configured to build with --with-edir option.
> #
> edir_account_policy_check=no
> #
> groupname_attribute = radiusGroupName
> #groupmembership_filter =
>"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
> groupmembership_filter =
>(&(uid=%{Stripped-User-Name:-%{User-Name}})(objectclass=radiusprofile))
> groupmembership_attribute = radiusGroupName
> timeout = 4
> timelimit = 3
> net_timeout = 1
> # compare_check_items = yes
> # do_xlat = yes
> # access_attr_used_for_allow = yes
> #
> # By default, if the packet contains a User-Password,
> # and no other module is configured to handle the
> # authentication, the LDAP module sets itself to do
> # LDAP bind for authentication.
> #
> # You can disable this behavior by setting the following
> # configuration entry to "no".
> #
> # allowed values: {no, yes}
> # set_auth_type = yes
> }
>
>dn: dc=csctus,dc=net
>objectClass: dcObject
>objectClass: organizationUnit
>ou: csctus.net Radius
>dc: csctus
>
>dn: ou=radius,dc=csctus,dc=net
>objectclass: organizationalunit
>ou: radius
>
>dn: ou=profiles,ou=radius,dc=csctus,dc=net
>objectclass: organizationalunit
>ou: profiles
>
>dn: ou=users,ou=radius,dc=csctus,dc=net
>objectclass: organizationalunit
>ou: users
>
>dn: ou=admins,ou=radius,dc=csctus,dc=net
>objectclass: organizationalunit
>ou: admins
>
>dn: uid=dial,ou=profiles,ou=radius,dc=csctus,dc=net
>objectclass: radiusprofile
>uid: dial
>radiusServiceType: Framed-User
>radiusFramedProtocol: PPP
>radiusFramedIPNetmask: 255.255.255.0
>radiusFramedRouting: None
>
>dn: uid=cisco,ou=profiles,ou=radius,dc=csctus,dc=net
>objectclass: radiusprofile
>uid: cisco
>radiusReplyItem: Cisco-AVPair ="priv-lvl=15"
>
>dn: uid=packeteer,ou=profiles,ou=radius,dc=csctus,dc=net
>objectclass: radiusprofile
>uid: packeteer
>radiusReplyItem: Packeteer-AVPair = "access=touch"
>
>dn: uid=isdn,ou=profiles,ou=radius,dc=csctus,dc=net
>objectclass: radiusprofile
>uid: isdn
>radiusServiceType: Framed-User
>radiusFramedProtocol: PPP
>radiusFramedIPNetmask: 255.255.255.0
>radiusFramedRouting: None
>
>dn: uid=example,ou=users,ou=radius,dc=csctus,dc=net
>objectclass: radiusProfile
>uid: example
>userPassword: test
>radiusGroupName: dial
>radiusGroupName: isdn
>
>dn: uid=bevege,ou=users,ou=radius,dc=csctus,dc=net
>radiusGroupName: cisco_priv_15
>radiusGroupName: Packeteer
>objectClass: radiusprofile
>uid: bevege
>userPassword: {MD5}xxxxxxxxx
>
>dn: cn=freeradius,ou=admins,ou=radius,dc=csctus,dc=net
>objectclass: person
>sn: freeradius
>cn: freeradius
>userPassword: freeradius
>
>dn: cn=billing,ou=admins,ou=radius,dc=csctus,dc=net
>objectclass: person
>sn: billing
>cn: billing
>userPassword: billing
>
>dn: cn=replica,ou=admins,ou=radius,dc=csctus,dc=net
>objectclass: person
>sn: replica
>cn: replica
>userPassword: replica
>
>Thanks,
>
>BE
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list