Returning attributes based on group membership using NTLM_AUTH

Wed Aug 3 01:33:12 CEST 2011

I'm trying to set up switch logons for IT staff.  Some will get operator
(limited, read-only) access, some get manager (full) access.  I've got two
Active Directory groups that control which access they get.

I've got the ntlm_auth section working with two different instances, one for
each, using the "--require-membership-of" switch to ntlm_auth.

**** modules/ntlm_auth ****

exec ntlm_auth.swcmgr {
        wait = yes
        program = "/usr/bin/ntlm_auth --request-nt-key --domain= MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
--require-membership-of=MYDOMAIN\\SWITCH-MANAGERS"
}

exec ntlm_auth.swcoper {
        wait = yes
        program = "/usr/bin/ntlm_auth --request-nt-key --domain= MYDOMAIN
--username=%{User-Name} --password=%{User-Password}
--require-membership-of=MYDOMAIN\\SWITCH-OPERATORS"
}

**** End of file ****

I've also got the following in my users file:

**** users ****

DEFAULT         Auth-Type = ntlm_auth.swcmgr, Service-Type == 7,
NAS-Port-Type == 5
        Service-Type := 6,
#       Fall-Through = Yes

#DEFAULT                Auth-Type = ntlm_auth.swcoper, Service-Type == 7,
NAS-Port-Type == 5
#       Service-Type := 7

**** End of file ****

And in sites-enabled/default, I've listed these two in the authenticate
section.

With the config above, it'll let managers in with manager access, but not
operators.  If I comment out the first DEFAULT line in the users file, and
uncomment the second, it'll let operators in with operator access, but not
managers.  But if I uncomment out both, operators get denied access on the
first DEFAULT line, and processing stops.  If I uncomment out the
"Fall-Through" line, it appears to only fall-through on success of the first
DEFAULT section, not on failure.

What's the best way to accomplish what I want?  I think I'd need to use
unlang somehow, but the sites-enabled/default says unlang should go in
post-auth, and I think I need it in the authenticate section?  Or should I
be looking to do it in the modules/ntlm_auth file?  Is this too complicated
for unlang, should I be looking at perl or python?  Or am I overcomplicating
things?  Any pointers would be appreciated.

John H. Moe
Network Support - Hatch IT
HATCH
Tel: +61 (7) 3166 7777
Direct: +61 (7) 3166 7684
Fax: +61 (7) 3368 3754
Mobile: +61 438 772 425
61 Petrie Terrace, Brisbane, Queensland Australia 4000

*****************************
NOTICE - This message from Hatch is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential or proprietary. 
Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. By communicating with us via e-mail, you accept such risks.  When addressed to our clients, any information, drawings, opinions or advice (collectively, "information") contained in this e-mail is subject to the terms and conditions expressed in the governing agreements.  Where no such agreement exists, the recipient shall neither rely upon nor disclose to others, such information without our written consent.  Unless otherwise agreed, we do not assume any liability with respect to the accuracy or completeness of the information set out in this e-mail.  If you have received this message in error, please notify us immediately by return e-mail and destroy and delete the message from your computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5549 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110803/bc1b59f8/attachment.bin>