> > > 3. It is not possible to know exactly how many users can access a > particular > > service. Like, if it was based on group or OU membership, a look at the > > dial-up group/OU will tell me just how many people can dial into the > > network. I can also find out who can dialup by looking at the group > > membership. >
You can also do searches based on a specific attribute and get the same information, ie "ldapsearch -P2 -x -b dc=base,dc=scope radiusDialupAccess=true dn" which would return a list of dns of users that have dialup access (depending on how you setup your directory). > > > > But it the current implementation, I have to check the attributes of each > > user to collect the necessary info. > > > > Has anybody done an implementation with authorisation based on group > > membership ? > > I have setup and had working an implementation based on group membership. Multilink accounts, access denied/approved, notimeout, etc. However, I found that configuration to be resource-intensive. I created a test script that hammered the freeradius server and took my idle processor down below 30%. The same server, same box, same test script, but with ldap attributes only takes the idle processor down to 60% at lowest. I could provide you with example configs, but I think you'd be better off at a setup that takes 30% less cpu time. John Hogenmiller, kb3dfz Systems Administrator, Pennswoods.net 877.716.2002 x 529 --- Anyone could say, "What fantastic and expensive items you have! Oh, how I wish they were mine!" But I have proven my sincerity by going that extra mile and actually robbing you blind. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
