Re: Want interesting restrictions to ldap auth on different servers to different users - openldap-technical

6 Dec 2010


      2010/12/1 Dan White dwhite@olp.net:
...
On 01/12/10 18:27 +0300, c0re wrote:
...
Can't understand about how to use nssov overlay in my case, but
understood about dynamic groups overlay and it should fit to my needs.
Also I've got freeradius that authenticate users by looking in ldap.
Works good. But can't understand about how to restrict users to login
to some devices. At that moment all users has access to all devices
via radius. Same requests - this must be controlled via openldap.
May be someone uses freeradius and has already made such restritions
and can give me some tips.
Here's one approach:
Given a huntgroups file of:
device1 NAS-IP-Address == 192.168.1.1
cisco1  NAS-IP-Address == 192.168.1.2
and corresponding entries in your clients.conf, you can add something like
this in your users file:
DEFAULT Huntgroup-Name == "device1", ldap-customattr-Ldap-Group == "device1"
        Fall-Through = no
DEFAULT Huntgroup-Name == "device1", Auth-Type := Reject
DEFAULT Huntgroup-Name == "cisco1", ldap-customattr-Ldap-Group ==
"cisco1/admin", User-Profile := "cn=ciscoadmin,ou=radius,dc=example,dc=net"
        Fall-Through = no
DEFAULT Huntgroup-Name == "cisco1", Auth-Type := Reject
then create /etc/freeradius/modules/ldap-customattr with:
ldap ldap-customattr {
server   = "ldap://ldap.example.net"
       ldap_debug = 0x0028
       identity = "$dn"
       password = $pass
       ldap_connections_number = 5
       basedn   = "dc=example,dc=net"
       filter   = "(uid=%u)"
       start_tls = no
       tls_mode = no
       password_attribute = "userPassword"
       groupname_attribute = "customattr"
       groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
       groupmembership_attribute = "customattr"
}
Add 'ldap-customattr' inside the 'instantiate' section within
/etc/freeradius/radiusd.conf.
Add this to your tree:
dn: cn=ciscoadmin,ou=radius,dc=example,dc=net
objectClass: radiusObjectProfile
objectClass: radiusprofile
cn: ciscoadmin
radiusReplyItem: cisco-avpair = "shell:priv-lvl=15"
Then within your user entries, any user with:
customattr: device1
will be authorized to authenticate to device1, and
customattr: cisco1/admin
will authenticate to cisco1, and will also drop directly into enable mode,
assuming the cisco device is configured to do so.
--
Dan White
Thanks for example!
But it still requires to edit clients.conf when adding device. And not
restricts by groups.
As per http://wiki.freeradius.org/Rlm_ldap I can use
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
If there any other variables that can be used? I mean not only
Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname
or anything else to unique identify remote device. So I can use
dynamic groups in OpenLdap and restrict access to device by group
membership.