RE: [sec: unclas] Huntgroupname checkitem in LDAP

Tue, 17 Oct 2006 03:35:40 -0700 

> Van: freeradius-users-
> [EMAIL PROTECTED]
> [mailto:freeradius-users-
> [EMAIL PROTECTED] Namens
Ranner,
> Frank MR
> Verzonden: dinsdag 17 oktober 2006 4:17
> Aan: FreeRadius users mailing list
> Onderwerp: RE: [sec: unclas] Huntgroupname checkitem in LDAP
> 
> 
> DEFAULT Ldap-Group == `%{Huntgroup-Name}`
>         Access-Level := RW,
>         Service-Type = Administrative-User,
>         Cisco-AVPair := "shell:priv-lvl=15",
>         Passport-Command-Impact = configuration
> 

Although this approach Works if you just want to add attributes for a
certain huntgroup if a user is member of it.

My problem is, I have 2 user databases, one being SQL the other being
LDAP/AD

I want to be able to specify to which NASses the LDAP/AD user has access
too.

If it were only LDAP/AD users, everything would work like this:

DEFAULT Ldap-Group == `%{Huntgroup-Name}`
                Fall-Through = no

DEFAULT Auth-Type := REJECT

In this way, every user that is not a member of a specific Group that
matches a Huntgroup name is denied access.

But I still have the SQL users and the above rules breaks them.

So I changed it to this:

DEFAULT SQL-Group == `%{Huntgroup-Name}`
                Fall-Through = no

DEFAULT Ldap-Group == `%{Huntgroup-Name}`
                Fall-Through = no

DEFAULT Auth-Type := REJECT

In this way, I need to change my SQL users setup from instead having the
Huntgroup-Name in SQL as a checkitem (radgroupcheck) to add every SQL
user to a SQL-group having the same name as the huntgroup.

This behaviour works but is not really desirable.

After searching and experimenting the trick to NOT break EAP/LDAP/SQL
but still having everything working like I wanted it to be was just as
follows:

DEFAULT Ldap-Group == `%{Huntgroup-Name}`
                Fall-Through = no

DEFAULT Auth-Type = LOCAL
                Fall-Through = Yes

This configuration allows for the default SQL behaviour to stay the
same, having EAP AND locking Ldap users to the NASes controlled by there
groupmembership. Since I spent a long time figuring this out I wanted to
share this to the list.

My current setup has SQL users + Complete Active Directory integration
(having EAP=>NTLM) + LDAP(PAP/etc...)

Kind Regards,

J. 


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to