On Wed, Aug 04, 2004 at 02:14:41PM +0300, Kostas Kalevras wrote: > On Tue, 3 Aug 2004, Robert Banniza wrote: > > > Guys, > > I'm using Freeradius-0.9.3 with the rlm_ldap module (OpenLDAP backend) > > and have most everything configured except this last little bit. I would > > like to allow only certain users to have the ability to log in to only > > certain switches. i.e. Cisco group will manage cisco devices and juniper > > group can only manage juniper devices. > > > > I thought I could do this by placing: > > > > "Group = operator" > > > > in the huntgroups file under each individual huntgroup and then adding a > > > > "radiusReplyItem: Group := operator" > > The correct radius group attribute Ldap-Group. And you don't set group > membership in this way. Please read the ldap documentation in the doc folder.
OK, I have looked at the rlm_ldap documentation and here is what I have. I have restarted radiusd and everyone is still able to log into each device successfully. I only want certain people with matching radiusGroupName attributes to be able to log into the respective device and anyone else to be rejected. What am I doing wrong here: 1) In the users file, I have the following (pay attention to the Ldap-Group entry): DEFAULT Huntgroup-Name == "Cisco" Auth-Type := LDAP, Service-Type := 6, Ldap-Group == cisco, Fall-Through = Yes DEFAULT Huntgroup-Name == "Juniper-E-series" Auth-Type := LDAP, Ldap-Group == junipere, Fall-Through = Yes DEFAULT Huntgroup-Name == "Juniper-M-Series" Auth-Type := LDAP, Ldap-Group == juniperm, Fall-Through = No 2) My LDAP schema has the following (pay attention to radiusGroupName): dn: uid=homer, ou=people, dc=test, dc=net objectclass: person objectclass: radiusprofile objectclass: uidObject objectClass: inetOrgPerson objectClass: posixAccount objectClass: extensibleObject cn: Homer Simpson sn: Simpson loginShell: /bin/bash userpassword: {SSHA}vFGHHGJxzesR5Y/rodHeQbF9yiAAxbMP uidnumber: 2001 gidnumber: 20 homeDirectory: /home/homer uid: homer shadowLastChange: 10877 shadowMin: 0 shadowMax: 999999 shadowWarning: 7 shadowInactive: -1 shadowExpire: -1 shadowFlag: 0 radiusAuthType: LDAP radiusReplyItem: Juniper-Local-User-Name := tier3 radiusReplyItem: ERX-Cli-Initial-Access-Level := "15" radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15" radiusReplyItem: ERX-CLI-Allow-All-VR-Access := 1 radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15" radiusGroupName: cisco radiusprofileDN: uid=homer, ou=people, dc=test, dc=net 3) In my radiusd.conf file, I have groupname_attribute = radiusGroupName and groupmembership_attribute = radiusGroupName. > > > > > in my ldap schema. However, this has managed to seg fault the radiusd > > process. Is this the correct way to go about adding tiered access to my > > routers/switches? If not, I would appreciate any help out there. > > > > Robert > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html