Do you have the ability to read and write to the LDAP server? -----Original Message----- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Thursday, July 10, 2003 11:56 PM To: [EMAIL PROTECTED] Subject: RE: Group Membership jury-rigging
Problem is I don't control the LDAP server or it's maintenance process. I'm trying to do this without changing the LDAP server. Thus, I want the RADIUS server to effectively synthesize a group from the existence of users and a pattern match on the domain. Like I said, it's kind of a jury-rigging exercise. Owen --On Thursday, July 10, 2003 23:42 -0400 Gene Parks <[EMAIL PROTECTED]> wrote: > Well defining certain parameters per user is another avenue. > Not sure what you are asking is really possible without some form of > positive definition. > > You can add the group membership to ldap via one attribute which is not > that big a deal. But I am sure Alan or one of the other guys might have > a better suggestion. > > Gene > > -----Original Message----- > From: Owen DeLong [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 10, 2003 11:33 PM > To: [EMAIL PROTECTED] > Subject: RE: Group Membership jury-rigging > > > OK... Let's try this again... I have a VPN device which uses "user > groups" > to map email addresses to VPN Parameter sets. This device will first > query the RADIUS server for "is [EMAIL PROTECTED] a member of group xyz". > > When this happens, I want the RADIUS server to do the following: > > If [EMAIL PROTECTED] does not match regexp /[EMAIL PROTECTED]/, > return "NO". > > Else, if user is defined in LDAP, return "YES" > > Else, return "NO" > > To me, that's different from either of the two things you mentioned. > It's close to the latest one, except for my desire to not have to > actually define the group and maintain it. Basically, I want the > RADIUS server to fake group membership based on user exists and > specified email address is, therefore, a valid email address at > the company. > > Hope that clarifies the goal. Basically, I want IT to be able to > have users work with the VPN automatically if they have an account. > > Owen > > > --On Thursday, July 10, 2003 20:23 -0400 Gene Parks > <[EMAIL PROTECTED]> wrote: > >> Well if you are talking about actually grouping users then that is >> different from what you typed originally. Based on your original >> request a person [EMAIL PROTECTED] will be rejected unless you have >> them defined in LDAP. >> Now your new request talks about group membership. In that context > you >> will need two things. One a group membership definition in LDAP based >> on the attribute defined in radiusd.conf. And a DEFAULT record in the >> user file to tell freeradius what to do with it. >> >> This should satisfy your need. >> >> Gene >> >> -----Original Message----- >> From: Owen DeLong [mailto:[EMAIL PROTECTED] >> Sent: Thursday, July 10, 2003 8:10 PM >> To: [EMAIL PROTECTED] >> Subject: RE: Group Membership jury-rigging >> >> >> OK... I think we're talking about two different things. At this > point, >> the request is going to come in to ask "Is [EMAIL PROTECTED] a member of >> group blazo?". There's not going to be a password or any > authentication >> information in this first request. Assuming RADIUS says "Yes", the >> device will get the user name and password and respond with an >> authentication >> request with username and password. >> >> Owen >> >> >> --On Thursday, July 10, 2003 20:03 -0400 Gene Parks >> <[EMAIL PROTECTED]> wrote: >> >>> It does that by default. It is looking specifically for the realm if >>> you setup radiusd.conf to do that. It will reject anything it > doesn't >>> find. >>> >>> Gene >>> >>> -----Original Message----- >>> From: Owen DeLong [mailto:[EMAIL PROTECTED] >>> Sent: Thursday, July 10, 2003 4:54 PM >>> To: [EMAIL PROTECTED] >>> Subject: Group Membership jury-rigging >>> >>> >>> I have an application where I have a device that will be doing group >>> membership queries against my radius server looking for members in >>> a group called "foo" of the form "[EMAIL PROTECTED]". Is there any way >>> to jury rig radius such that it will: >>> >>> Only permit @blah.zorp and reject any other @foo.blah. >>> >>> Take user from [EMAIL PROTECTED] and look it up in LDAP. >>> >>> Return True if user is found and fals if usre is not found. >>> >>> If anyone has any handy config examples for how to accomplish this, >>> I'd be _VERY_ appreciative. >>> >>> Thanks, >>> >>> Owen >>> >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> >> >> >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
