Re: Problem with Huntgroups

[Robert Banniza]

On Wed, Aug 04, 2004 at 10:52:28AM -0400, Alan DeKok wrote:
> "Geoffrey Cauchi" <[EMAIL PROTECTED]> wrote:
> > Did you have any reply re. this?  We are facing a very similar problem and
> > it would be greatly appreciated if you could tell us how you solved the
> > problem.
> 
>   So far, I don't think he has.
> 
>   I've taken a quick look at the problem, but I'm not sure what's
> going wrong, so I'm not sure I can suggest any fix or work-around.
> 
>   Alan DeKok.

OK, I have looked at the rlm_ldap documentation and here is what I have.
I have restarted radiusd and everyone is still able to log into each
device successfully. I only want certain people with matching
radiusGroupName attributes to be able to log into the respective device
and anyone else to be rejected. What am I doing wrong here:

1) In the users file, I have the following (pay attention to the
Ldap-Group entry):

DEFAULT         Huntgroup-Name == "Cisco"
                Auth-Type := LDAP,
                Service-Type := 6,
                Ldap-Group == cisco,
                Fall-Through = Yes
                                                                                
DEFAULT         Huntgroup-Name == "Juniper-E-series"
                Auth-Type := LDAP,
                Ldap-Group == junipere,
                Fall-Through = Yes
                                                                                
DEFAULT         Huntgroup-Name == "Juniper-M-Series"
                Auth-Type := LDAP,
                Ldap-Group == juniperm,
                Fall-Through = No


2) My LDAP schema has the following (pay attention to radiusGroupName):

dn: uid=homer, ou=people, dc=test, dc=net
objectclass: person
objectclass: radiusprofile
objectclass: uidObject
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
cn: Homer Simpson
sn: Simpson
loginShell: /bin/bash
userpassword: {SSHA}vFGHHGJxzesR5Y/rodHeQbF9yiAAxbMP
uidnumber: 2001
gidnumber: 20
homeDirectory: /home/homer
uid: homer
shadowLastChange: 10877
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
radiusAuthType: LDAP
radiusReplyItem: Juniper-Local-User-Name := tier3
radiusReplyItem: ERX-Cli-Initial-Access-Level := "15"
radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15"
radiusReplyItem: ERX-CLI-Allow-All-VR-Access := 1
radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
radiusGroupName: cisco
radiusprofileDN: uid=homer, ou=people, dc=test, dc=net

3) In my radiusd.conf file, I have groupname_attribute = radiusGroupName
and groupmembership_attribute = radiusGroupName.


> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html