using multiple LDAP queries for authorization
Coy Hile
coy.hile at coyhile.com
Fri Dec 19 00:16:10 CET 2014
Hi all,
I admit this is quite a complicated first question, but I'm setting up
FR in a lab to try to replace an existing production deployment of a
commercial alternative. Currently, we can permission a user for
access to some network device via the following tuples (in order of
less specificity): (user, device) (user, group of devices), (group of
users, device) (group of users, group of devices). So we say,
effectively in pseudocode:
For authorization:
Check if a user with uid=%{User-Name} exists and return the user's group
if exists(acl(user, device)) {
based on the assigned access profile, query LDAP for the
approopriate VSAs
} else if exists(acl(user, group of devices)) {
based on the assigned access profile, query LDAP for the
approopriate VSAs
} else if exists(acl(usergroup, device)) {
....
} else if exists(acl(usergroup,group of devices)) {
....
} else
return reject
For authentication:
Kerberos
The authentication part is trivial, as is the first check under
authorization; the existing documentation explains how to do that sort
of check. I can see from the unlang manpage how to call out to one or
the other modules. Is what I'm trying to do something one can do with
rlm_ldap, or is it something that would be better done with
rlm_python. (Yes, LDAP in python sucks rocks through straws, so I'm
trying to avoid that if possible.
Thanks,
-c
--
Coy Hile
coy.hile at coyhile.com
More information about the Freeradius-Users
mailing list