On Wed, Aug 04, 2004 at 02:14:41PM +0300, Kostas Kalevras wrote:
> On Tue, 3 Aug 2004, Robert Banniza wrote:
>
> > Guys,
> > I'm using Freeradius-0.9.3 with the rlm_ldap module (OpenLDAP backend)
> > and have most everything configured except this last little bit. I would
> > like to allow only certain users to have the ability to log in to only
> > certain switches. i.e. Cisco group will manage cisco devices and juniper
> > group can only manage juniper devices.
> >
> > I thought I could do this by placing:
> >
> > "Group = operator"
> >
> > in the huntgroups file under each individual huntgroup and then adding a
> >
> > "radiusReplyItem: Group := operator"
>
> The correct radius group attribute Ldap-Group. And you don't set group
> membership in this way. Please read the ldap documentation in the doc folder.
OK, I have looked at the rlm_ldap documentation and here is what I have.
I have restarted radiusd and everyone is still able to log into each
device successfully. I only want certain people with matching
radiusGroupName attributes to be able to log into the respective device
and anyone else to be rejected. What am I doing wrong here:
1) In the users file, I have the following (pay attention to the
Ldap-Group entry):
DEFAULT Huntgroup-Name == "Cisco"
Auth-Type := LDAP,
Service-Type := 6,
Ldap-Group == cisco,
Fall-Through = Yes
DEFAULT Huntgroup-Name == "Juniper-E-series"
Auth-Type := LDAP,
Ldap-Group == junipere,
Fall-Through = Yes
DEFAULT Huntgroup-Name == "Juniper-M-Series"
Auth-Type := LDAP,
Ldap-Group == juniperm,
Fall-Through = No
2) My LDAP schema has the following (pay attention to radiusGroupName):
dn: uid=homer, ou=people, dc=test, dc=net
objectclass: person
objectclass: radiusprofile
objectclass: uidObject
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: extensibleObject
cn: Homer Simpson
sn: Simpson
loginShell: /bin/bash
userpassword: {SSHA}vFGHHGJxzesR5Y/rodHeQbF9yiAAxbMP
uidnumber: 2001
gidnumber: 20
homeDirectory: /home/homer
uid: homer
shadowLastChange: 10877
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0
radiusAuthType: LDAP
radiusReplyItem: Juniper-Local-User-Name := tier3
radiusReplyItem: ERX-Cli-Initial-Access-Level := "15"
radiusReplyItem: ERX-Alternate-Cli-Access-Level := "15"
radiusReplyItem: ERX-CLI-Allow-All-VR-Access := 1
radiusReplyItem: Cisco-AVPair := "shell:priv-lvl=15"
radiusGroupName: cisco
radiusprofileDN: uid=homer, ou=people, dc=test, dc=net
3) In my radiusd.conf file, I have groupname_attribute = radiusGroupName
and groupmembership_attribute = radiusGroupName.
>
> >
> > in my ldap schema. However, this has managed to seg fault the radiusd
> > process. Is this the correct way to go about adding tiered access to my
> > routers/switches? If not, I would appreciate any help out there.
> >
> > Robert
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
