2010/12/6 Dan White dwhite@olp.net:
On 06/12/10 15:34 +0300, c0re wrote:
2010/12/1 Dan White dwhite@olp.net: Thanks for example!
But it still requires to edit clients.conf when adding device. And not restricts by groups.
That's true, unless you have some of your clients coming from behind one NAT address. I'm not aware of any way around that.
As per http://wiki.freeradius.org/Rlm_ldap I can use
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
If there any other variables that can be used? I mean not only Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname or anything else to unique identify remote device. So I can use dynamic groups in OpenLdap and restrict access to device by group membership.
As for the client IP, or other identifying information of the authenticating device, I've always tried to use huntgroups to identify the device rather than trying to perform a match in the LDAP filter, but that approach might work just fine.
Keep in mind that different types of devices will send more or less information in its RADIUS request. Running freeradius in '-X' mode, and sending a sample request will show you the information that you might be able to match on.
-- Dan White
Thanks for tip about -X mode, will do it if get troubles.
Found very interesting message in mailists here: http://lists.freeradius.org/pipermail/freeradius-users/2010-October/msg00058... Even more interesting - storing NAS secret in ldap!
And using variable Packet-Src-IP-Address to differ source devices. Will try to get it work at this week.
openldap-technical@openldap.org
-
c0re