Re: Authorisation based on LDAP Group membership

Wed, 12 Jun 2002 21:31:07 -0700 

Hi all,

Thanks to Kostas Kalevras for the clarification. Will my requirement work on
an OU basis ? I can add the attributes to the administrators on a per user
basis, as there will be only two or three of them.

My dial up users are a different story. I have around 500 users in my
database.

About 50 of them will not have any restrictions on connect
     - A profile without any session limit restrictions
About  300 of them will be allowed to connect only for a limited time per
day - A profile with restrictions on session limit.
The rest of the users will not have any dial up
      - A profile that does not permit dial up access.

I do not think it is practically possible to assign these rights on a per
user basis. How do I assign these three profiles to these three types of
users ?

Please help

Thanks and regards,
Michael Fuller

----- Original Message -----
From: "Kostas Kalevras" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 12, 2002 7:22 PM
Subject: Re: Authorisation based on LDAP Group membership


> On Wed, 12 Jun 2002, Michael Fuller wrote:
>
> > Hi all,
> >
> > I have installed openldap and freeradius on a Red Hat v7.3 box. I want
to
> > use ldap for radius authentication and authorisation.
> >
> > I want to control authorisation on a per group basis, and added the
> > radiusprofile object class to a group. The radiusServiceType was then
set to
> > Administrative-User. However, members of this group are not able to
telnet
> > to any of  our cisco routers. The arrangement works fine if I follow the
> > same procedure on a per user basis.
> >
> > Is there any change that I have to make to radiusd.conf ? Where am I
going
> > wrong ?
> >
> > Please help.
> >
> > Regards,
> > Michael Fuller
>
> The profiles don't work on a group basis. What you can is to add a
> profile_attribute (the name can be configured through the
profile_attribute
> configuration directive) in the ldap entries of all the users belonging in
the
> administrator group. That attribute will point to the DN of an entry
containing
> the radiusServiceType attribute. In other words:
>
> dn: uid=admin,ou=people,dc=your,dc=company,dc=com
> cn: Administrator
> radiusprofiledn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com
> [...]
>
> dn: uid=admin-profile,ou=people,dc=your,dc=company,dc=com
> cn: Administrator Dialup Profile
> radiusServiceType: Administrative-User
>
> That should work just fine.
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 10 7721861
> 'Go back to the shadow' Gandalf
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to