2010/12/1 Dan White dwhite@olp.net:
On 01/12/10 18:27 +0300, c0re wrote:
Can't understand about how to use nssov overlay in my case, but understood about dynamic groups overlay and it should fit to my needs.
Also I've got freeradius that authenticate users by looking in ldap. Works good. But can't understand about how to restrict users to login to some devices. At that moment all users has access to all devices via radius. Same requests - this must be controlled via openldap.
May be someone uses freeradius and has already made such restritions and can give me some tips.
Here's one approach:
Given a huntgroups file of:
device1 NAS-IP-Address == 192.168.1.1 cisco1 NAS-IP-Address == 192.168.1.2
and corresponding entries in your clients.conf, you can add something like this in your users file:
DEFAULT Huntgroup-Name == "device1", ldap-customattr-Ldap-Group == "device1" Fall-Through = no
DEFAULT Huntgroup-Name == "device1", Auth-Type := Reject
DEFAULT Huntgroup-Name == "cisco1", ldap-customattr-Ldap-Group == "cisco1/admin", User-Profile := "cn=ciscoadmin,ou=radius,dc=example,dc=net" Fall-Through = no
DEFAULT Huntgroup-Name == "cisco1", Auth-Type := Reject
then create /etc/freeradius/modules/ldap-customattr with:
ldap ldap-customattr {
server = "ldap://ldap.example.net" ldap_debug = 0x0028 identity = "$dn" password = $pass ldap_connections_number = 5 basedn = "dc=example,dc=net" filter = "(uid=%u)" start_tls = no tls_mode = no password_attribute = "userPassword" groupname_attribute = "customattr" groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" groupmembership_attribute = "customattr"
}
Add 'ldap-customattr' inside the 'instantiate' section within /etc/freeradius/radiusd.conf.
Add this to your tree:
dn: cn=ciscoadmin,ou=radius,dc=example,dc=net objectClass: radiusObjectProfile objectClass: radiusprofile cn: ciscoadmin radiusReplyItem: cisco-avpair = "shell:priv-lvl=15"
Then within your user entries, any user with:
customattr: device1
will be authorized to authenticate to device1, and
customattr: cisco1/admin
will authenticate to cisco1, and will also drop directly into enable mode, assuming the cisco device is configured to do so.
-- Dan White
Thanks for example!
But it still requires to edit clients.conf when adding device. And not restricts by groups.
As per http://wiki.freeradius.org/Rlm_ldap I can use
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
If there any other variables that can be used? I mean not only Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname or anything else to unique identify remote device. So I can use dynamic groups in OpenLdap and restrict access to device by group membership.