________________________________
Message: 3 Date: Thu, 11 Oct 2007 23:23:45 +0100 From: <[EMAIL PROTECTED]> Subject: Re: Problem with LDAP and Groups To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-2 Read instructions in huntgroups file. Group devices in huntgroups: cisco NAS-IP-Address == a.b.c.d cisco NAS-IP-Address == a.b.c.e etc. linux NAS-IP-Address == z.y.x.w linux NAS-IP-Address == z.y.x.v etc. Add Huntgroup-Name to the DEFAULT entries: DEFAULT Huntgroup-Name == "cisco", Ldap-Group == "cisco_priv_15", User-Profile := "uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net" You can leave out Auth-Type. These attributes will then be passed only when user logs in from a device in cisco huntgroup. For other entries Ldap group might match but huntgroup will not. Things get complicated if roles and devices overlap and you have two or more entries where both the group and hungroup will match. For instance, you wanted the same user in priv level 1 and 15 groups. You then have to add another level of distincion, like a realm/sufix/prefix. Ivan Kalik Kalik Informatika ISP Dana 11/10/2007, "Bryan Evege" <[EMAIL PROTECTED]> pi?e: >Message: 6 >> Date: Thu, 11 Oct 2007 21:13:21 +0100 >> From: <[EMAIL PROTECTED]> >> Subject: Re: Problem with LDAP and Groups >> To: "FreeRadius users mailing list" >> <freeradius-users@lists.freeradius.org> >> Message-ID: <[EMAIL PROTECTED]> >> Content-Type: text/plain; charset=ISO-8859-2 >> >> >>> If I change the fall through to yes it still matches as many groups as the >>> user is in. How can I tell freeradius which attributes to send back? >>> >> >> If you want to send sets of attributes according to the NAS user is >> trying to log into use huntgroups. >> >> >>> For example, bevege is a member of the following groups, packetshapper, >>> cisco_priv_15, cisco_priv_1, linux. >>> >> >> Your group allocation is wrong. You can't have the same user(name) on >> the same device having priv levels 1 and 15. Pick one. Or have him log >> in as [EMAIL PROTECTED] and [EMAIL PROTECTED] and use realms to allocate >> correct set >> of attributes. >> >> Ivan Kalik >> Kalik Informatika ISP >> >> >Could you please explain a bit more. From what I understand you cannot >use Huntgroups to lookup what group a user is in. I only uses /etc/group >/etc/password. What I would like to do is this. User bevege logs in from >Cisco router. Have the users file somehow detect that the request has >come from a cisco router (by IP I would guess) then validate that the >user is in the correct group and then pass back the specific attributes >just for the cisco. Same thing for packetshapper etc. > >Thanks, > >Bryan > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > Ok, this is driving me insane. I tried the way you suggested but here's the problem. User A is in the packeteer group, user B is in the packeteer_read_only group. Using the Huntgroup and users file below only allows user A (packeteer) to logon. User B doesn't work at all. If I reverse the order of the huntgroup file (packeteer_read_only first) then only user B can logon. This makes sense because which ever one is first in the huntgroups file matches and freeradius doesn't look any further. Isn't there a more detailed way to search the huntgroup? Or maybe I need to do better matching of the ldap group? I really need to get this working ASAP. Just a little background. We have about 10-15 users and about 20 devices of varying types. Some users (network operations) need read only access and some departments (network engineering) need full access to just about everything. Using NAS based huntgroups doesn't seem to work because only one group type can login, ie the first to match. Using just group based lookups doesn't work either unless the user is only a member of only one group, again the first one to match, which defeats the whole purpose of groups. I need to figure out a way to have user A in the packeteer group and user B in packeteer_read_only group and be able to have them both login to multiple devices with the appropriate access defined in LDAP. How on earth are companies with lots of devices and lots of different user access levels doing this? It can't be that hard. Any help would be greatly appreciated, I'm getting pressure to get this going ASAP. Huntgroups file packeteer NAS-IP-Address == 10.17.69.12 packeteer_read_only NAS-IP-Address == 10.17.69.12 Users file 162 DEFAULT Huntgroup-Name == "packeteer",Ldap-Group == Packeteer,User-Profile := "uid=packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP 163 Fall-Through = no 165 DEFAULT Huntgroup-Name == "packeteer_read_only",Ldap-Group == packeteer_read_only,User-Profile := "uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP 166 Fall-Through = no
<<winmail.dat>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html