Questions about ldap authentication, huntgroup and authorize file

[Jérôme BERTHIER]

Hello Alan,

Le 09/10/2017 à 23:38, Alan DeKok a écrit :
> On Oct 9, 2017, at 10:29 AM, Jérôme BERTHIER <Jerome.Berthier at inria.fr> wrote:
>> The filter replies differents vendor specific attributes for each ldap group and finally, we reject the authentication if there is no match.
>    OK.
>
>> For example, for devices from Juniper, we use this setup :
>>
>> DEFAULT         Ldap-Group==ldap_group_1,Huntgroup-Name == JuniperNet
>>              Service-Type = Login,
>>              Juniper-Local-User-Name := "radius-admin"
>> DEFAULT         Ldap-Group==ldap_group_2,Huntgroup-Name == JuniperNet
>>              Service-Type = Login,
>>              Juniper-Local-User-Name := "radius-operator"
>> DEFAULT        Auth-Type := Reject,Huntgroup-Name == JuniperNet
>    You can also do that all in "unlang", which might be clearer.

Something like that ?

         if (Ldap-Group == "ldap_group_1" && Huntgroup-Name == 
"JuniperNet") {
                 update {
             reply:Service-Type = Login
                         reply:Juniper-Local-User-Name := "radius-admin"
                 }
         }
         elsif (Ldap-Group == "ldap_group_1" && Huntgroup-Name == 
"JuniperNet") {
                 update {
             reply:Service-Type = Login
                         reply:Juniper-Local-User-Name := "radius-operator"
                 }
         }
         elsif (Huntgroup-Name == "JuniperNet") {
                  reject
         }

>
>> I still have few questions :
>>
>> 1) I notice that the variable Ldap-Group is no more set by the last ldap instance called. So, I corrected my config to describe the default instance ldap {}. It works but is it planned to be able to call another instance in the file authorize ?
>    The LDAP-Group attribute is created only for the "ldap" module.  If you have multiple LDAP modules (e.g. ldap ldap1 { ...} ), then there will be an attribute created called "ldap1-LDAP-Group"

Do you mean that I need to setup one module file for each ldap server ?

In the file authorize, I tried to use this attribute associated to each 
ldap server listed in the module file ldap.
For example :
DEFAULT     myldap1-Ldap-Group=="ldap_group_1" , Huntgroup-Name == 
JuniperNet
             Service-Type = Login,
             Juniper-Local-User-Name := "radius-admin"

then radiusd does not start because the attribute is unknown :

/etc/raddb/mods-config/files/authorize[229]: Parse error (check) for 
entry DEFAULT: Unknown attribute "myldap1-Ldap-Group"
Failed reading /etc/raddb/mods-config/files/authorize
/etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"



Regards,

-- 
Jérôme BERTHIER