________________________________
Message: 3
Date: Thu, 11 Oct 2007 23:23:45 +0100
From: <[EMAIL PROTECTED]>
Subject: Re: Problem with LDAP and Groups
To: "FreeRadius users mailing list"
<freeradius-users@lists.freeradius.org>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-2
Read instructions in huntgroups file. Group devices in huntgroups:
cisco NAS-IP-Address == a.b.c.d
cisco NAS-IP-Address == a.b.c.e
etc.
linux NAS-IP-Address == z.y.x.w
linux NAS-IP-Address == z.y.x.v
etc.
Add Huntgroup-Name to the DEFAULT entries:
DEFAULT Huntgroup-Name == "cisco", Ldap-Group == "cisco_priv_15",
User-Profile :=
"uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net"
You can leave out Auth-Type. These attributes will then be passed only
when user logs in from a device in cisco huntgroup. For other entries
Ldap group might match but huntgroup will not.
Things get complicated if roles and devices overlap and you have two or
more entries where both the group and hungroup will match. For instance,
you wanted the same user in priv level 1 and 15 groups. You then have to
add another level of distincion, like a realm/sufix/prefix.
Ivan Kalik
Kalik Informatika ISP
Dana 11/10/2007, "Bryan Evege" <[EMAIL PROTECTED]> pi?e:
>Message: 6
>> Date: Thu, 11 Oct 2007 21:13:21 +0100
>> From: <[EMAIL PROTECTED]>
>> Subject: Re: Problem with LDAP and Groups
>> To: "FreeRadius users mailing list"
>> <freeradius-users@lists.freeradius.org>
>> Message-ID: <[EMAIL PROTECTED]>
>> Content-Type: text/plain; charset=ISO-8859-2
>>
>>
>>> If I change the fall through to yes it still matches as many groups as the
>>> user is in. How can I tell freeradius which attributes to send back?
>>>
>>
>> If you want to send sets of attributes according to the NAS user is
>> trying to log into use huntgroups.
>>
>>
>>> For example, bevege is a member of the following groups, packetshapper,
>>> cisco_priv_15, cisco_priv_1, linux.
>>>
>>
>> Your group allocation is wrong. You can't have the same user(name) on
>> the same device having priv levels 1 and 15. Pick one. Or have him log
>> in as [EMAIL PROTECTED] and [EMAIL PROTECTED] and use realms to allocate
>> correct set
>> of attributes.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>Could you please explain a bit more. From what I understand you cannot
>use Huntgroups to lookup what group a user is in. I only uses /etc/group
>/etc/password. What I would like to do is this. User bevege logs in from
>Cisco router. Have the users file somehow detect that the request has
>come from a cisco router (by IP I would guess) then validate that the
>user is in the correct group and then pass back the specific attributes
>just for the cisco. Same thing for packetshapper etc.
>
>Thanks,
>
>Bryan
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
Ok, this is driving me insane. I tried the way you suggested but here's the
problem. User A is in the packeteer group, user B is in the
packeteer_read_only group. Using the Huntgroup and users file below only
allows user A (packeteer) to logon. User B doesn't work at all. If I reverse
the order of the huntgroup file (packeteer_read_only first) then only user B
can logon. This makes sense because which ever one is first in the huntgroups
file matches and freeradius doesn't look any further. Isn't there a more
detailed way to search the huntgroup? Or maybe I need to do better matching of
the ldap group? I really need to get this working ASAP.
Just a little background. We have about 10-15 users and about 20 devices of
varying types. Some users (network operations) need read only access and some
departments (network engineering) need full access to just about everything.
Using NAS based huntgroups doesn't seem to work because only one group type can
login, ie the first to match. Using just group based lookups doesn't work
either unless the user is only a member of only one group, again the first one
to match, which defeats the whole purpose of groups.
I need to figure out a way to have user A in the packeteer group and user B in
packeteer_read_only group and be able to have them both login to multiple
devices with the appropriate access defined in LDAP. How on earth are
companies with lots of devices and lots of different user access levels doing
this? It can't be that hard. Any help would be greatly appreciated, I'm
getting pressure to get this going ASAP.
Huntgroups file
packeteer NAS-IP-Address == 10.17.69.12
packeteer_read_only NAS-IP-Address == 10.17.69.12
Users file
162 DEFAULT Huntgroup-Name == "packeteer",Ldap-Group == Packeteer,User-Profile
:= "uid=packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
163 Fall-Through = no
165 DEFAULT Huntgroup-Name == "packeteer_read_only",Ldap-Group ==
packeteer_read_only,User-Profile :=
"uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type :=
LDAP
166 Fall-Through = no
<<winmail.dat>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
