Coooorrrrect ! :) -Arran
On 3 Aug 2011, at 06:19, Moe, John wrote: > Sorry to reply to my own post, but I think I've found the answer; can > someone let me know if I'm on the right track? > > I believe that I should be using ntlm_auth to *only* validate the *password* > in the authenticate section. And then I'll need to configure the LDAP > module and use Ldap-Group as an additional item to match against in the > users file to return the appropriate Service-Type attribute? > > John H. Moe > Network Support - Hatch IT > HATCH > Tel: +61 (7) 3166 7777 > Direct: +61 (7) 3166 7684 > Fax: +61 (7) 3368 3754 > Mobile: +61 438 772 425 > 61 Petrie Terrace, Brisbane, Queensland Australia 4000 > >> -----Original Message----- >> From: freeradius-users-bounces+jmoe=hatch.com...@lists.freeradius.org >> [mailto:freeradius-users- >> bounces+jmoe=hatch.com...@lists.freeradius.org] On Behalf Of Moe, John >> Sent: Wednesday, 3 August 2011 9:33 AM >> To: freeradius-users@lists.freeradius.org >> Subject: Returning attributes based on group membership using NTLM_AUTH >> >> I'm trying to set up switch logons for IT staff. Some will get >> operator >> (limited, read-only) access, some get manager (full) access. I've got >> two >> Active Directory groups that control which access they get. >> >> I've got the ntlm_auth section working with two different instances, >> one for >> each, using the "--require-membership-of" switch to ntlm_auth. >> >> **** modules/ntlm_auth **** >> >> exec ntlm_auth.swcmgr { >> wait = yes >> program = "/usr/bin/ntlm_auth --request-nt-key --domain= >> MYDOMAIN >> --username=%{User-Name} --password=%{User-Password} >> --require-membership-of=MYDOMAIN\\SWITCH-MANAGERS" >> } >> >> exec ntlm_auth.swcoper { >> wait = yes >> program = "/usr/bin/ntlm_auth --request-nt-key --domain= >> MYDOMAIN >> --username=%{User-Name} --password=%{User-Password} >> --require-membership-of=MYDOMAIN\\SWITCH-OPERATORS" >> } >> >> **** End of file **** >> >> I've also got the following in my users file: >> >> **** users **** >> >> DEFAULT Auth-Type = ntlm_auth.swcmgr, Service-Type == 7, >> NAS-Port-Type == 5 >> Service-Type := 6, >> # Fall-Through = Yes >> >> #DEFAULT Auth-Type = ntlm_auth.swcoper, Service-Type == >> 7, >> NAS-Port-Type == 5 >> # Service-Type := 7 >> >> **** End of file **** >> >> And in sites-enabled/default, I've listed these two in the authenticate >> section. >> >> With the config above, it'll let managers in with manager access, but >> not >> operators. If I comment out the first DEFAULT line in the users file, >> and >> uncomment the second, it'll let operators in with operator access, but >> not >> managers. But if I uncomment out both, operators get denied access on >> the >> first DEFAULT line, and processing stops. If I uncomment out the >> "Fall-Through" line, it appears to only fall-through on success of the >> first >> DEFAULT section, not on failure. >> >> What's the best way to accomplish what I want? I think I'd need to use >> unlang somehow, but the sites-enabled/default says unlang should go in >> post-auth, and I think I need it in the authenticate section? Or >> should I >> be looking to do it in the modules/ntlm_auth file? Is this too >> complicated >> for unlang, should I be looking at perl or python? Or am I >> overcomplicating >> things? Any pointers would be appreciated. >> >> >> John H. Moe >> Network Support - Hatch IT >> HATCH >> Tel: +61 (7) 3166 7777 >> Direct: +61 (7) 3166 7684 >> Fax: +61 (7) 3368 3754 >> Mobile: +61 438 772 425 >> 61 Petrie Terrace, Brisbane, Queensland Australia 4000 > > > ***************************** > NOTICE - This message from Hatch is intended only for the use of the > individual or entity to which it is addressed and may contain information > which is privileged, confidential or proprietary. > Internet communications cannot be guaranteed to be secure or error-free as > information could be intercepted, corrupted, lost, arrive late or contain > viruses. By communicating with us via e-mail, you accept such risks. When > addressed to our clients, any information, drawings, opinions or advice > (collectively, "information") contained in this e-mail is subject to the > terms and conditions expressed in the governing agreements. Where no such > agreement exists, the recipient shall neither rely upon nor disclose to > others, such information without our written consent. Unless otherwise > agreed, we do not assume any liability with respect to the accuracy or > completeness of the information set out in this e-mail. If you have received > this message in error, please notify us immediately by return e-mail and > destroy and delete the message from your computer. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html