Re: Want interesting restrictions to ldap auth on different servers to different users

On 06/12/10 15:34 +0300, c0re wrote: > > 2010/12/1 Dan White <dwhite(a)olp.net&gt;: > Thanks for example! > > But it still requires to edit clients.conf when adding device. And not > restricts by groups. That's true, unless you have some of your clients coming from behind one NAT address. I'm not aware of any way around that. > As per http://wiki.freeradius.org/Rlm_ldap I can use > > groupmembership_filter = > > "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" > > If there any other variables that can be used? I mean not only > Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname > or anything else to unique identify remote device. So I can use > dynamic groups in OpenLdap and restrict access to device by group > membership. As for the client IP, or other identifying information of the authenticating device, I've always tried to use huntgroups to identify the device rather than trying to perform a match in the LDAP filter, but that approach might work just fine. Keep in mind that different types of devices will send more or less information in its RADIUS request. Running freeradius in '-X' mode, and sending a sample request will show you the information that you might be able to match on. -- Dan White