[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Want interesting restrictions to ldap auth on different servers to different users
2010/12/1 Dan White <dwhite@olp.net>:
> On 01/12/10 18:27 +0300, c0re wrote:
>>
>> Can't understand about how to use nssov overlay in my case, but
>> understood about dynamic groups overlay and it should fit to my needs.
>>
>> Also I've got freeradius that authenticate users by looking in ldap.
>> Works good. But can't understand about how to restrict users to login
>> to some devices. At that moment all users has access to all devices
>> via radius. Same requests - this must be controlled via openldap.
>>
>> May be someone uses freeradius and has already made such restritions
>> and can give me some tips.
>
> Here's one approach:
>
> Given a huntgroups file of:
>
> device1 NAS-IP-Address == 192.168.1.1
> cisco1 NAS-IP-Address == 192.168.1.2
>
> and corresponding entries in your clients.conf, you can add something like
> this in your users file:
>
> DEFAULT Huntgroup-Name == "device1", ldap-customattr-Ldap-Group == "device1"
> Fall-Through = no
>
> DEFAULT Huntgroup-Name == "device1", Auth-Type := Reject
>
> DEFAULT Huntgroup-Name == "cisco1", ldap-customattr-Ldap-Group ==
> "cisco1/admin", User-Profile := "cn=ciscoadmin,ou=radius,dc=example,dc=net"
> Fall-Through = no
>
> DEFAULT Huntgroup-Name == "cisco1", Auth-Type := Reject
>
> then create /etc/freeradius/modules/ldap-customattr with:
>
> ldap ldap-customattr {
>
> server = "ldap://ldap.example.net"
> ldap_debug = 0x0028
> identity = "$dn"
> password = $pass
> ldap_connections_number = 5
> basedn = "dc=example,dc=net"
> filter = "(uid=%u)"
> start_tls = no
> tls_mode = no
> password_attribute = "userPassword"
> groupname_attribute = "customattr"
> groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
> groupmembership_attribute = "customattr"
>
> }
>
> Add 'ldap-customattr' inside the 'instantiate' section within
> /etc/freeradius/radiusd.conf.
>
> Add this to your tree:
>
> dn: cn=ciscoadmin,ou=radius,dc=example,dc=net
> objectClass: radiusObjectProfile
> objectClass: radiusprofile
> cn: ciscoadmin
> radiusReplyItem: cisco-avpair = "shell:priv-lvl=15"
>
>
> Then within your user entries, any user with:
>
> customattr: device1
>
> will be authorized to authenticate to device1, and
>
> customattr: cisco1/admin
>
> will authenticate to cisco1, and will also drop directly into enable mode,
> assuming the cisco device is configured to do so.
>
> --
> Dan White
>
Thanks for example!
But it still requires to edit clients.conf when adding device. And not
restricts by groups.
As per http://wiki.freeradius.org/Rlm_ldap I can use
groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
If there any other variables that can be used? I mean not only
Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname
or anything else to unique identify remote device. So I can use
dynamic groups in OpenLdap and restrict access to device by group
membership.