fixed it... Or rather Alan fixed it. I just found it and uncommented it. Had forgotten to uncomment group checking in the ldap module. Apprarantly there are defaults.
Thanks for the help. N On Thu, Jul 29, 2010 at 2:39 PM, Natr Brazell <[email protected]> wrote: > I added 3 groups called tier1,2 and 3 like > cn=tier3,ou=People,dc=somedomain,dc=com and added a user to that group. > That user is not able to log on. Here is the output. Note the "member=" > and "uniquemember=". Ldap-UserDn values are null??? > > [ldap] performing search in ou=People,dc=somedomain,dc=com, with filter > (&(cn=tier3)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) > request done: ld 0x91aff80 msgid 3 > [ldap] object not found > [ldap] ldap_release_conn: Release Id: 0 > rlm_ldap::ldap_groupcmp: Group tier3 not found or user is not a member. > [ldap] Entering ldap_groupcmp() > [files] expand: ou=People,dc=somedomain,dc=com -> > ou=People,dc=somedomain,dc=com > [files] expand: > (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) > -> > (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) > [ldap] ldap_get_conn: Checking Id: 0 > [ldap] ldap_get_conn: Got Id: 0 > [ldap] performing search in ou=People,dc=somedomain,dc=com, with filter > (&(cn=tier2)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) > request done: ld 0x91aff80 msgid 4 > [ldap] object not found > [ldap] ldap_release_conn: Release Id: 0 > rlm_ldap::ldap_groupcmp: Group tier2 not found or user is not a member. > [ldap] Entering ldap_groupcmp() > [files] expand: ou=People,dc=somedomain,dc=com -> > ou=People,dc=somedomain,dc=com > [files] expand: > (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) > -> > (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=))) > [ldap] ldap_get_conn: Checking Id: 0 > [ldap] ldap_get_conn: Got Id: 0 > [ldap] performing search in ou=People,dc=somedomain,dc=com, with filter > (&(cn=tier1)(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))) > request done: ld 0x91aff80 msgid 5 > [ldap] object not found > [ldap] ldap_release_conn: Release Id: 0 > rlm_ldap::ldap_groupcmp: Group tier1 not found or user is not a member. > > On Thu, Jul 29, 2010 at 12:00 PM, Natr Brazell <[email protected]>wrote: > >> Ooh! I'll try the LDAP-Group. wrt the Juniper-Local-User-Name VSA: >> >> Once authenticated against LDAP the user is mapped to the NAS device where >> there is a username called tier3 (or whatever you called it. Could be >> superduck). That username is matched against a class which defines a >> specific set of available commands. The default classes on a juniper router >> and switch (out of the box) are tier1 (read-only), tier2 (show and some >> configure commands) and tier3 (or superuser). The audits on both the NAS >> and in the radius radacct log show the User-Name value as the LDAP uid. >> When a user types a command such as 'edit' the NAS returns a >> Juniper-Interactive-Command value = 'edit'. In this way we have a full >> record of every command each user types on any Juniper device in our >> accounting logs. Doing this provides very granular control over what users >> have what permisisons and provides a mechanism for tracking, troubleshooting >> and accountability. >> >> Thanks Alan, >> N >> >> On Thu, Jul 29, 2010 at 11:35 AM, Alan DeKok <[email protected] >> > wrote: >> >>> Natr Brazell wrote: >>> > I am looking for information on grouping users into profiles/groups. >>> > I've searched around the FAQ's and docs but not finding a clear >>> > picture. I've found how to associate a user with a group of NAS's. >>> >>> See "man rlm_passwd" It can be used to create arbitrary groups, >>> including groups of users. >>> >>> > Here's the scenario. There is a specfic VSA from Juniper called >>> > Juniper-Local-User-Name. This gets mapped to a locally defined profile >>> > on the NAS. In the users file I have the following: >>> > >>> > bob.smith Juniper-Local-User-Name = "tier3", >>> >>> What does that do? >>> >>> > So to the point, rather than defining each user with the same >>> parameters >>> > every time, can I create a group, for instance TIER3, and associate >>> > User-Name's above to the group. And if so how or point me to some >>> > specific examples. >>> > >>> > I am using LDAP also so if there is an LDAP solution same question. >>> Howto? >>> >>> Put the users into an LDAP group, and use LDAP-Group checking: >>> >>> DEFAULT LDAP-Group == "tier2" >>> Juniper-Deny-Commands "(show system alarms)|(show system >>> software)" >>> >>> Alan DeKok. >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >>> >> >> >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
