Using rlm_passwd as a substitute for hunt groups - was (Devices in more than one huntgroup)

[Arran Cudbard-Bell]

On 31 Aug 2011, at 13:17, Jan.Weiss at t-systems.com wrote:

>> Thanks for the answer!
>> 
>> But there are several problems for me:
>> - i have no access to ldap, new groups are not as easy to implement as in small environments
>> - i already have more than 20 DEFAULT-entries for different huntgroup/ldap-group combinations
>> and splitting nexus to nexus_RO and nexus_RW means adding additional 5 entries minimum
>> I´m searching for a more scalable solution. If the next team should get access to different
>> devices, and then the third team to a third group of devices, or other rights...
> 
> Hi,
> 
> In this thread i found a hint for my config:
> 
> http://freeradius.1045715.n5.nabble.com/huntgroups-question-td2756193.html
> 
> "The huntgroups are a bit of a hack for backwards compatibility going
> back almost a decade. For 2000 machines, I would suggest using
> rlm_passwd. See the "man rlm_passwd" page for an example of setting up
> groups based on User-Name. The same method can be used to set up groups
> based on Client-IP-Address. You then have groups controlled by a flat
> text file, which is pretty easy to manage."
> 
> passwd groups_local {
>        filename = /etc/raddb/groups_local
>        format = "~My-Device-Group:*NAS-IP-Address"
>        hashsize = 50
>        ignorenislike = no
>        allowmultiplekeys = no
>        delimiter = ":"
> }
> 
> Groups_local:
> readonly:127.0.0.1
> 
> Groups_local is called in section "authorize" just after "preprocess".
> 
> I always got "returs notfound". If i add User-Name to the config, it´s working.
> But i didn´t want to check the username, i just want to add an other flag (My-Device-Group)
> additional to huntgroups.
> 

Did you remember to actually define 'My-Device-Group' as an attribute?

-Arran

Arran Cudbard-Bell
a.cudbardb at freeradius.org

RADIUS - Half the complexity of Diameter