The only way i got this to work, was seperate trees in ldap for each
group. and then in your default line in your users file put the tree you
want it to search for the group and nas definition.
Message: 2
Date: Thu, 11 May 2006 12:52:47 +0300
From: Mircea Harapu <[EMAIL PROTECTED]>
Subject: radius filters for ldap searching
To: freeradius-users@lists.freeradius.org
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hello,
I'm using freeradius 1.0.4 with openldap 2.2.24 to authenticate users on
cisco switches.
Every switch belongs to a specific group and for every user I'm setting
the groups he can access. I also use cisco avpairs for level privilege.
So far , so good!
The problems occured when I tried to make a user to have different level
privileges on different switches .
This is the profile I'm using :
# test, radius, isp.ro
dn: uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
cn: test
userPassword:: xxx
radiusGroupName: bucuresti
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User
# bucuresti, test, radius, isp.ro
dn: cn=bucuresti,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: bucuresti
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=15"
cn: bucuresti
# valcea, test, radius, isp.ro
dn: cn=valcea,uid=test,ou=radius,dc=isp,dc=ro
uid: test
objectClass: radiusprofile
userPassword:: xxx
radiusGroupName: valcea
radiusServiceType: NAS-Prompt-User
radiusCiscoLevel: "shell:priv-lvl=7"
cn: valcea
raddb/users
# Switch 192.168.50.202
# Descriere test
DEFAULT NAS-IP-Address == 192.168.50.202, Ldap-Group == bucuresti
Fall-Through = no
DEFAULT Auth-Type := Reject
what I need is to filter the ldap search in authorize section based on
GroupName and I don't know how.
--
Terry J Fike Jr
System Administrator
MTA Solutions
907-793-4100
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
