[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Want interesting restrictions to ldap auth on different servers to different users
2010/12/6 Dan White <dwhite@olp.net>:
> On 06/12/10 15:34 +0300, c0re wrote:
>>
>> 2010/12/1 Dan White <dwhite@olp.net>:
>> Thanks for example!
>>
>> But it still requires to edit clients.conf when adding device. And not
>> restricts by groups.
>
> That's true, unless you have some of your clients coming from behind
> one NAT address. I'm not aware of any way around that.
>
>> As per http://wiki.freeradius.org/Rlm_ldap I can use
>>
>> groupmembership_filter =
>>
>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>>
>> If there any other variables that can be used? I mean not only
>> Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname
>> or anything else to unique identify remote device. So I can use
>> dynamic groups in OpenLdap and restrict access to device by group
>> membership.
>
> As for the client IP, or other identifying information of the
> authenticating device, I've always tried to use huntgroups to identify the
> device rather than trying to perform a match in the LDAP filter, but that
> approach might work just fine.
>
> Keep in mind that different types of devices will send more or less
> information in its RADIUS request. Running freeradius in '-X' mode, and
> sending a sample request will show you the information that you might be
> able to match on.
>
> --
> Dan White
>
Thanks for tip about -X mode, will do it if get troubles.
Found very interesting message in mailists here:
http://lists.freeradius.org/pipermail/freeradius-users/2010-October/msg00058.html
Even more interesting - storing NAS secret in ldap!
And using variable Packet-Src-IP-Address to differ source devices.
Will try to get it work at this week.