Best way to do LDAP user based server restrictions?

Peter Lambrechtsen plambrechtsen at gmail.com
Sun Nov 1 09:14:46 CET 2009 

I have configured FR 2.1.7 successfully and just wanted to confirm this is
the best way to achieve what I am wanting to do.

I have large number nas elements scattered throughout the network that we
are trying to centralise on a pair of redundant FR servers.  The
authentication will be based on users out of LDAP, and I would also like to
have the authorzation based on LDAP groups, so I can add a user into a group
in LDAP and they will then have access to login to the NAS device.

As part of this we need to restrict certain nas types to a certain group of
people, and return additional items as part of the Access-Accept such as
"Service-Type = "Login-User" or Cisco-avpair = "shell:priv-lvl=15" and such
like.

In LDAP I have the following group and OU structure for NAS systems, and
potentially there are any number of different responses depending on their
access level per system, and thus I plan to add different users into the
relevant group.

cn=ResponseValue,ou=NAS,ou=Radius,o=Org  ie:

cn=Login-User,ou=SystemA,ou=Radius,o=Org
cn=Login-Admin,ou=SystemA,ou=Radius,o=Org
cn=Level1,ou=SystemB,ou=Radius,o=Org
cn=Level7,ou=SystemB,ou=Radius,o=Org
cn=Level15,ou=SystemB,ou=Radius,o=Org

The only way I have got this to effectivly work is as follows:

in the sites-enabled/default I have:

authorize {
        ldap
}
authenticate {
        Auth-Type LDAP {
                ldap
        }
post-auth {
        files
}

Then after I have modified the modules/files and added "postauth_usersfile =
${confdir}/postauth_users"

I also add in all the same devices in the same nas group into the huntgroups
file such as:

SystemA         NAS-IP-Address == 192.168.1.1

In the postauth_users file I need to put the logic to say if you are a
member of this LDAP Group, and coming from this Hostgroup NAS server, then
Access-Accept & include the correct reply.

DEFAULT Huntgroup-Name == SystemA, Ldap-Group ==
"cn=Login-User,ou=SystemA,ou=Radius,o=Org", Auth-Type := Accept
        Service-Type = "Login-User"
DEFAULT Huntgroup-Name == SystemA, Ldap-Group ==
"cn=Login-Admin,ou=SystemA,ou=Radius,o=Org", Auth-Type := Accept
        Service-Type = "Login-Admin"
DEFAULT Huntgroup-Name == SystemB, Ldap-Group ==
"cn=Level1,ou=SystemB,ou=Radius,o=Org", Auth-Type := Accept
        Cisco-avpair = "shell:priv-lvl=1"
and so on.

Is there an easier way to have grainular system access controls based on
group memberships out of ldap?  As it's a pain to have one to one matchup
from ldap groups, to the postauth_users.

Thanks

Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091101/07cf4cff/attachment.html>

More information about the Freeradius-Users mailing list