On 03/27/2010 01:46 AM, Peter Lambrechtsen wrote: > On Sat, Mar 27, 2010 at 3:00 AM, Doug Warner <[email protected] > <mailto:[email protected]>> wrote: > > I'm trying to setup freeradius to authenticate users via LDAP but > pull group > information via MySQL. I currently only need radius for > authentication to > network devices (switches, PDUs, etc) but want to make sure I set it > up so > that I don't shoot myself in the foot later. > > In trying to get the correct attributes assigned to a group I've > noticed that > I need to set Fall-Through on each group that a user belongs to in > order to > have later groups evaluated. Is there a better way that I can say > something > like, "this client should check for access from these groups" so > that I only > need to set Fall-Through on certain groups instead of all? > > > Why not just use LDAP all together for your group based auth. This is > how I do it and it works well, and doesn't need any schema extensions. > > http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg00001.html > > Then all you have to do is modify the hostgroups & postauth_users file > when you add new NAS's.
I don't have control over the LDAP server at all so I can't change what groups people are in. I think I've managed to get things working by setting up a huntgroup with the SQL-Group set to check that the user is in a specific group. I then have the users file set up to assign the appropriate attributes to the huntgroup. -Doug
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
