is it possible to setup multiple user definitions with different privileges when using an ldap backend?

Les Stott Less at imagine-sw.com
Fri Oct 10 02:19:51 CEST 2014 

Hi,

I have freeradius 2.1.12 of rhel6 which uses freeipa as an ldap backend. All is working fine.

The config I have setup is as follows:

Ldap group sys_admins = contains users who get privileges to authenticate and login radius based devices (cisco routers/switches, ucs, f5, brocade).

Radius config for ldap module checks group sys_admins for membership. (/etc/raddb/modules/ldap)
  groupname_attribute = cn
  groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{check:Ldap-UserDn})))"
  groupmembership_attribute = sys_admins

In /etc/raddb/users I have...

DEFAULT Ldap-Group == "cn=sys_admins,cn=groups,cn=accounts,dc=mydomain,dc=com"
        Auth-Type :=Accept,
        Service-Type = "NAS-Prompt-User",
        Cisco-AVPair = "shell:roles*\"admin network-admin vdc-admin\"",
        Cisco-AVPair += "shell:priv-lvl=15",
        Fall-Through = No,
        F5-LTM-User-Role = 0,
        F5-LTM-User-Info-1 = administrator,
        F5-LTM-User-Partition = common,
        F5-LTM-User-Shell = tmsh,
        Brocade-Auth-Role+= "admin",
        Brocade-AVPairs1+= "HomeLF=0",
        Brocade-AVPairs2+= "LFRoleList=admin:0-255",
        Brocade-AVPairs3+= "ChassisRole=admin"


DEFAULT Auth-Type := Reject
        Reply-Message="You do not have permission to access this device.",
        Fall-Through = Yes

This is all working fine.

My problem is that I need to have a user setup in ldap for monitoring purposes (using icinga), which should be a read only based user for the ucs and not have access to the brocade, f5 or other cisco devices.

I've tried a lot of different configs and nothing has worked. Adding a specific user definition to /etc/raddb/users with appropriate privilege levels doesn't help as it seems to still require that the user belong to the ldap group sys_admins, which means they get access to all devices.

Does anyone know of a way to have multiple user definitions in /etc/raddb/users with ldap backends with differing privilege levels?

Could the ldap module be duplicated like the files module which allows a second users file?

Is it even possible? Any alternatives?

Thanks,

Les
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141010/ecd3b961/attachment.html>

More information about the Freeradius-Users mailing list