________________________________

Message: 3
Date: Thu, 11 Oct 2007 23:23:45 +0100
From: <[EMAIL PROTECTED]>
Subject: Re: Problem with LDAP and Groups
To: "FreeRadius users mailing list"
        <freeradius-users@lists.freeradius.org>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-2

Read instructions in huntgroups file. Group devices in huntgroups:

cisco   NAS-IP-Address == a.b.c.d
cisco   NAS-IP-Address == a.b.c.e
etc.

linux   NAS-IP-Address == z.y.x.w
linux   NAS-IP-Address == z.y.x.v
etc.

Add Huntgroup-Name to the DEFAULT entries:

DEFAULT Huntgroup-Name == "cisco", Ldap-Group == "cisco_priv_15",
User-Profile :=
"uid=cisco_priv_15,ou=profiles,ou=radius,dc=csctus,dc=net"

You can leave out Auth-Type. These attributes will then be passed only
when user logs in from a device in cisco huntgroup. For other entries
Ldap group might match but huntgroup will not.

Things get complicated if roles and devices overlap and you have two or
more entries where both the group and hungroup will match. For instance,
you wanted the same user in priv level 1 and 15 groups. You then have to
add another level of distincion, like a realm/sufix/prefix.

Ivan Kalik
Kalik Informatika ISP


Dana 11/10/2007, "Bryan Evege" <[EMAIL PROTECTED]> pi?e:

>Message: 6
>> Date: Thu, 11 Oct 2007 21:13:21 +0100
>> From: <[EMAIL PROTECTED]>
>> Subject: Re: Problem with LDAP and Groups
>> To: "FreeRadius users mailing list"
>>      <freeradius-users@lists.freeradius.org>
>> Message-ID: <[EMAIL PROTECTED]>
>> Content-Type: text/plain; charset=ISO-8859-2
>>
>>
>>> If I change the fall through to yes it still matches as many groups as the 
>>> user is in. How can I tell freeradius which attributes to send back?
>>>
>>
>> If you want to send sets of attributes according to the NAS user is
>> trying to log into use huntgroups.
>>
>>
>>> For example, bevege is a member of the following groups, packetshapper, 
>>> cisco_priv_15, cisco_priv_1, linux.
>>>
>>
>> Your group allocation is wrong. You can't have the same user(name) on
>> the same device having priv levels 1 and 15. Pick one. Or have him log
>> in as [EMAIL PROTECTED] and [EMAIL PROTECTED] and use realms to allocate 
>> correct set
>> of attributes.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>Could you please explain a bit more. From what I understand you cannot
>use Huntgroups to lookup what group a user is in. I only uses /etc/group
>/etc/password. What I would like to do is this. User bevege logs in from
>Cisco router. Have the users file somehow detect that the request has
>come from a cisco router (by IP I would guess) then validate that the
>user is in the correct group and then pass back the specific attributes
>just for the cisco. Same thing for packetshapper etc.
>
>Thanks,
>
>Bryan
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

Ok, this is driving me insane.  I tried the way you suggested but here's the 
problem.  User A is in the packeteer group, user B is in the 
packeteer_read_only group.  Using the Huntgroup and users file below only 
allows user A (packeteer) to logon.  User B doesn't work at all.  If I reverse 
the order of the huntgroup file (packeteer_read_only first) then only user B 
can logon.  This makes sense because which ever one is first in the huntgroups 
file matches and freeradius doesn't look any further.  Isn't there a more 
detailed way to search the huntgroup?  Or maybe I need to do better matching of 
the ldap group? I really need to get this working ASAP.
 
Just a little background.  We have about 10-15 users and about 20 devices of 
varying types.  Some users (network operations) need read only access and some 
departments (network engineering) need full access to just about everything.    
Using NAS based huntgroups doesn't seem to work because only one group type can 
login, ie the first to match.  Using just group based lookups doesn't work 
either unless the user is only a member of only one group, again the first one 
to match, which defeats the whole purpose of groups.  
 
I need to figure out a way to have user A in the packeteer group and user B in 
packeteer_read_only group and be able to have them both login to multiple 
devices with the appropriate access defined in LDAP.  How on earth are 
companies with lots of devices and lots of different user access levels doing 
this?  It can't be that hard.  Any help would be greatly appreciated, I'm 
getting pressure to get this going ASAP.

Huntgroups file

packeteer                      NAS-IP-Address == 10.17.69.12

packeteer_read_only  NAS-IP-Address == 10.17.69.12

Users file

162 DEFAULT Huntgroup-Name == "packeteer",Ldap-Group == Packeteer,User-Profile 
:= "uid=packeteer,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := LDAP
163         Fall-Through = no

 165 DEFAULT Huntgroup-Name == "packeteer_read_only",Ldap-Group == 
packeteer_read_only,User-Profile := 
"uid=packeteer_read_only,ou=profiles,ou=radius,dc=csctus,dc=net", Auth-Type := 
LDAP 

166 Fall-Through = no




<<winmail.dat>>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to