First of all, thank you both so much for these helpful replies! I can't wait to try them out just as soon as the network guys fix whatever they broke in the NAS...
But just quickly, you mention an email from "Martin" with an idea? I don't see that. Was it sent to this list? Dave -----Original Message----- From: radiator <radiator-boun...@lists.open.com.au> On Behalf Of Heikki Vatiainen Sent: Monday, February 14, 2022 8:55 AM To: radiator@lists.open.com.au Subject: Re: [RADIATOR] Radiator / LDAP / matching on multi-valued field On 12.2.2022 0.39, Dave Kitabjian wrote: > So, the second part of my problem is that obviously "DC=com CN=Admin > Access" won't match the NAS-IP-Address. What I really need is logic like: > > IF AD.memberOf(user) matches "DC=com CN=Admin Access" AND NAS-IP-Address > = A.B.C.D > THEN PASS > ELSE IF AD.memberOf(user) matches "DC=com CN=Regular Access" AND > NAS-IP-Address = W.X.Y.Z > THEN PASS > ELSE FAIL One option is to use code to implement the authorisation logic. First, configure AuthBy LDAP2 to fetch 'memberOf' attributes. There's no need to store them in request or response, so the configuration is simply this: AuthAttrDef memberOf PostSearchHook file:"%D/ldap-memberof-hook.pl" The hook that processes the LDAP groups is below. Implementing flexbile authorisation with configuration options might be possible, for example how Martin shows in his email, and a hook can then cover the rest of the cases. Here's ldap-memberof-hook.pl. I'll see that a copy gets added to goodies too. The logic is meant for tailoring for local needs. use strict; use warnings; use List::Util; sub { my $p = $_[2]; # The request my $user = $_[3]; # The user trying to authenticate my $entry = $_[4]; # Returned LDAP entry my $rp = $_[5]; # The reply # Process Access-Request messages only return unless $p->code() eq 'Access-Request'; # Do nothing if the search did not return any results. return unless $entry; # groupMembership or memberOf is typically a multivalued LDAP attribute for group memberships my $attr = 'memberOf'; my $dn = $entry->dn(); main::log($main::LOG_DEBUG, "PostSearchHook: processing '$attr' values for '$dn'", $p); # Convert all DNs to canonical format and then fully lowercase them my $admin_dn = lc(Net::LDAP::Util::canonical_dn('CN=Demo Admin Access,OU=Groups,DC=dev,DC=radiatorsoftware,DC=com')); my $regular_dn = lc(Net::LDAP::Util::canonical_dn('cn=DEMO Regular Access,ou=Groups,dc=dev,dc=radiatorsoftware,dc=com')); my @ldapgroups = map { lc(Net::LDAP::Util::canonical_dn($_)) } $entry->get_value($attr); my $nas_ip = $p->get_attr('NAS-IP-Address'); # We can now run authorisation logic based on LDAP groups, request # attributes and other available information. # # Sample: The first NAS allows only admins, the second only # regular users. Otherwise trigger failure. if ($nas_ip eq '10.20.30.44' && (List::Util::first { $admin_dn eq $_ } @ldapgroups)) { main::log($main::LOG_DEBUG, "PostSearchHook: matched LDAP group '$admin_dn'", $p); $user->get_reply->add_attr('Reply-Message', 'You are admin'); } elsif ($nas_ip eq '10.20.50.66' && (List::Util::first { $regular_dn eq $_ } @ldapgroups)) { main::log($main::LOG_DEBUG, "PostSearchHook: matched LDAP group '$regular_dn'", $p); $user->get_reply->add_attr('Reply-Message', 'You are regular'); } else { # Could also use add_attr to assing a default # authorization level. $user->get_check->add_attr('Auth-Type', "Reject:No authorisation group found in LDAP for '$dn'"); } return; } -- Heikki Vatiainen OSC, makers of Radiator Visit radiatorsoftware.com for Radiator AAA server software _______________________________________________ radiator mailing list radiator@lists.open.com.au https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.open.com.au%2Fmailman%2Flistinfo%2Fradiator&data=04%7C01%7Cdave%40corp.netcarrier.com%7C976ca639b50a454aa24208d9efc1c156%7C0cb89eef04a7465c893f447a3df63d9b%7C0%7C0%7C637804437729086517%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xPNQlGkDavt837eoZCwe4qfKdNaFdFTXc%2BAYvYKD%2BKQ%3D&reserved=0 CONFIDENTIALITY NOTICE***The information contained in this message may be privileged, confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or any employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ radiator mailing list radiator@lists.open.com.au https://lists.open.com.au/mailman/listinfo/radiator