On 06/12/10 15:34 +0300, c0re wrote:
>
> 2010/12/1 Dan White <dwhite(a)olp.net>:
> Thanks for example!
>
> But it still requires to edit clients.conf when adding device. And not
> restricts by groups.
That's true, unless you have some of your clients coming from behind
one NAT address. I'm not aware of any way around that.
> As per
http://wiki.freeradius.org/Rlm_ldap I can use
>
> groupmembership_filter =
>
>
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>
> If there any other variables that can be used? I mean not only
> Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname
> or anything else to unique identify remote device. So I can use
> dynamic groups in OpenLdap and restrict access to device by group
> membership.
As for the client IP, or other identifying information of the
authenticating device, I've always tried to use huntgroups to identify the
device rather than trying to perform a match in the LDAP filter, but that
approach might work just fine.
Keep in mind that different types of devices will send more or less
information in its RADIUS request. Running freeradius in '-X' mode, and
sending a sample request will show you the information that you might be
able to match on.
--
Dan White
Thanks for tip about -X mode, will do it if get troubles.
Found very interesting message in mailists here:
Even more interesting - storing NAS secret in ldap!
And using variable Packet-Src-IP-Address to differ source devices.
Will try to get it work at this week.