Grouping similar users to profiles

Natr Brazell natrbrazell at gmail.com
Thu Jul 29 20:39:11 CEST 2010 

I added 3 groups called tier1,2 and 3 like
cn=tier3,ou=People,dc=somedomain,dc=com and added a user to that group.
That user is not able to log on.  Here is the output.  Note the "member="
and "uniquemember=".  Ldap-UserDn values are null???

 [ldap] performing search in ou=People,dc=somedomain,dc=com, with filter
(&(cn=tier3)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
request done: ld 0x91aff80 msgid 3
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group tier3 not found or user is not a member.
  [ldap] Entering ldap_groupcmp()
[files]         expand: ou=People,dc=somedomain,dc=com ->
ou=People,dc=somedomain,dc=com
[files]         expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=somedomain,dc=com, with filter
(&(cn=tier2)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
request done: ld 0x91aff80 msgid 4
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group tier2 not found or user is not a member.
  [ldap] Entering ldap_groupcmp()
[files]         expand: ou=People,dc=somedomain,dc=com ->
ou=People,dc=somedomain,dc=com
[files]         expand:
(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
->
(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in ou=People,dc=somedomain,dc=com, with filter
(&(cn=tier1)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))))
request done: ld 0x91aff80 msgid 5
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group tier1 not found or user is not a member.

On Thu, Jul 29, 2010 at 12:00 PM, Natr Brazell <natrbrazell at gmail.com>wrote:

> Ooh!  I'll try the LDAP-Group.  wrt the Juniper-Local-User-Name VSA:
>
> Once authenticated against LDAP the user is mapped to the NAS device where
> there is a username called tier3 (or whatever you called it.  Could be
> superduck).  That username is matched against a class which defines a
> specific set of available commands.  The default classes on a juniper router
> and switch (out of the box) are tier1 (read-only), tier2 (show and some
> configure commands) and tier3 (or superuser).  The audits on both the NAS
> and in the radius radacct log show the User-Name value as the LDAP uid.
> When a user types a command such as 'edit' the NAS returns a
> Juniper-Interactive-Command value = 'edit'.  In this way we have a full
> record of every command each user types on any Juniper device in our
> accounting logs.  Doing this provides very granular control over what users
> have what permisisons and provides a mechanism for tracking, troubleshooting
> and accountability.
>
> Thanks Alan,
> N
>
>   On Thu, Jul 29, 2010 at 11:35 AM, Alan DeKok <aland at deployingradius.com>wrote:
>
>> Natr Brazell wrote:
>> > I am looking for information on grouping users into profiles/groups.
>> > I've searched around the FAQ's and docs but not finding a clear
>> > picture.  I've found how to associate a user with a group of NAS's.
>>
>>  See "man rlm_passwd"  It can be used to create arbitrary groups,
>> including groups of users.
>>
>> > Here's the scenario.  There is a specfic VSA from Juniper called
>> > Juniper-Local-User-Name.  This gets mapped to a locally defined profile
>> > on the NAS.  In the users file I have the following:
>> >
>> > bob.smith   Juniper-Local-User-Name = "tier3",
>>
>>  What does that do?
>>
>> > So to the point, rather than defining each user with the same parameters
>> > every time, can I create a group, for instance TIER3, and associate
>> > User-Name's above to the group.  And if so how or point me to some
>> > specific examples.
>> >
>> > I am using LDAP also so if there is an LDAP solution same question.
>>  Howto?
>>
>>  Put the users into an LDAP group, and use LDAP-Group checking:
>>
>> DEFAULT   LDAP-Group == "tier2"
>>         Juniper-Deny-Commands "(show system alarms)|(show system
>> software)"
>>
>>  Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100729/23e49981/attachment.html>

More information about the Freeradius-Users mailing list