Problem is I don't control the LDAP server or it's maintenance process. I'm trying to do this without changing the LDAP server. Thus, I want the RADIUS server to effectively synthesize a group from the existence of users and a pattern match on the domain. Like I said, it's kind of a jury-rigging exercise.
Owen
--On Thursday, July 10, 2003 23:42 -0400 Gene Parks <[EMAIL PROTECTED]> wrote:
Well defining certain parameters per user is another avenue. Not sure what you are asking is really possible without some form of positive definition.
You can add the group membership to ldap via one attribute which is not that big a deal. But I am sure Alan or one of the other guys might have a better suggestion.
Gene
-----Original Message----- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:33 PM To: [EMAIL PROTECTED] Subject: RE: Group Membership jury-rigging
OK... Let's try this again... I have a VPN device which uses "user groups" to map email addresses to VPN Parameter sets. This device will first query the RADIUS server for "is [EMAIL PROTECTED] a member of group xyz".
When this happens, I want the RADIUS server to do the following:
If [EMAIL PROTECTED] does not match regexp /[EMAIL PROTECTED]/, return "NO".
Else, if user is defined in LDAP, return "YES"
Else, return "NO"
To me, that's different from either of the two things you mentioned. It's close to the latest one, except for my desire to not have to actually define the group and maintain it. Basically, I want the RADIUS server to fake group membership based on user exists and specified email address is, therefore, a valid email address at the company.
Hope that clarifies the goal. Basically, I want IT to be able to have users work with the VPN automatically if they have an account.
Owen
--On Thursday, July 10, 2003 20:23 -0400 Gene Parks <[EMAIL PROTECTED]> wrote:
youWell if you are talking about actually grouping users then that is different from what you typed originally. Based on your original request a person [EMAIL PROTECTED] will be rejected unless you have them defined in LDAP. Now your new request talks about group membership. In that contextpoint,will need two things. One a group membership definition in LDAP based on the attribute defined in radiusd.conf. And a DEFAULT record in the user file to tell freeradius what to do with it.
This should satisfy your need.
Gene
-----Original Message----- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 8:10 PM To: [EMAIL PROTECTED] Subject: RE: Group Membership jury-rigging
OK... I think we're talking about two different things. At thisauthenticationthe request is going to come in to ask "Is [EMAIL PROTECTED] a member of group blazo?". There's not going to be a password or anydoesn'tinformation in this first request. Assuming RADIUS says "Yes", the device will get the user name and password and respond with an authentication request with username and password.
Owen
--On Thursday, July 10, 2003 20:03 -0400 Gene Parks <[EMAIL PROTECTED]> wrote:
It does that by default. It is looking specifically for the realm if you setup radiusd.conf to do that. It will reject anything itfind.
Gene
-----Original Message----- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 4:54 PM To: [EMAIL PROTECTED] Subject: Group Membership jury-rigging
I have an application where I have a device that will be doing group membership queries against my radius server looking for members in a group called "foo" of the form "[EMAIL PROTECTED]". Is there any way to jury rig radius such that it will:
Only permit @blah.zorp and reject any other @foo.blah.
Take user from [EMAIL PROTECTED] and look it up in LDAP.
Return True if user is found and fals if usre is not found.
If anyone has any handy config examples for how to accomplish this, I'd be _VERY_ appreciative.
Thanks,
Owen
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
