On Sat, 22 Jun 2002, Michael Fuller wrote: > Hi all, > > Its me again with the same question :-). I want to know whether freeRadius > can authorize users based on a group or OU attribute. When I posted this > question earlier, I was told that not is not possible. I am using the > radiusprofileDn attribute to authorize users. however, this approach has its > drawbacks. > > 1. Since authorization is based on an user attribute, all users have to have > the radiusprofile object class, which increases overhead in direct > proportion to the number of users.
Overhead? I don't think you add any overhead to the ldap server by adding 2-3 attributes in each user entry. On the other hand the group membership authorization adds overhead since the queries are not easily cached while the queries for the regular profiles (simple request for an entry DN) can be cached by the ldap api. > > 2. It is not possible to grant or deny a particular service to a group of > users to reflect changing requirements. The changes have to be made for > every user, giving scope for errors and security holes. Use the users file along with Ldap-Group and User-Profile attributes: DEFAULT Ldap-Group == "admins", User-Profile := "uid=admin-users,ou=people,dc=company,dc=com" > 3. It is not possible to know exactly how many users can access a particular > service. Like, if it was based on group or OU membership, a look at the > dial-up group/OU will tell me just how many people can dial into the > network. I can also find out who can dialup by looking at the group > membership. Index the radiusprofiledn and create dynamicgroups for each profile :-) Maybe just kidding. > > But it the current implementation, I have to check the attributes of each > user to collect the necessary info. > > Has anybody done an implementation with authorisation based on group > membership ? > > If so, please help. > > Regards, > Michael Fuller > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 10 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
