NAS-restricted users

brent s. bts at square-r00t.net
Wed May 9 18:07:36 CEST 2018


Hey all!

First off, sorry for the noob questions.

I've been reading the docs and previous mailing posts, but I'm still a
little unclear on some things and wanted to run something by the list
first for a sanity check/to see if there's a better way of doing this.

I store NASes in MySQL and user accounts in LDAP (if necessary, this can
be changed to store NASes in LDAP as well). I want to only allow users
to authenticate if they're coming from a specific NAS associated with
their account.

1.) What would be the most appropriate attribute for this in LDAP?
Accounts currently have the following objectClasses: account,
extensibleObject, radiusprofile, simpleSecurityObject, top.

I'm thinking radiusClientShortname (since this attribute wouldn't have a
"meaningful" association for radiusprofile but is available for use via
extensibleObject objectClass - I would store the NASes in a separate
base DN from the users).

2.) Can I even use the ${shortname} macro in a
raddb/mods-available/ldap:ldap{user{filter=}} context? I would *assume*
so since the NAS handling is done before the authentication handling,
but assumptions are a bad thing to operate off of. The unlang
documentation indicates I can't use unlang in this context, which is
fine since I can just incorporate it into the LDAP filter, but I'm
having some difficulty finding which macros are available where.

3.) Is there a better way to do this (preferably without duplicating NAS
entries)? Ideally without using huntgroups or the like, which is how I
usually see this sort of functionality achieved.

-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180509/0544889c/attachment.sig>


More information about the Freeradius-Users mailing list