Hi Neil - I’ve sent you an example in a separate email.
regards Hugh > On 7 Mar 2020, at 23:44, Johnson, Neil M <neil-john...@uiowa.edu> wrote: > > Hugh, > > I do have our various types of network equipment grouped by > Client-Identifier. Right now I have a separate handler for each > Client-Identifier that has an AddToReply statement to return the attribute > required for admin level access. > > Now the requirement is that, based on group membership, to provide levels of > access to the devices. > > So, your last statement: "Or alternatively, your PostAuthHook in the AuthBy > LDAP2 clause would use the Client-Identifier together with the LDAP group > information to query a UserGroup/DeviceGroup matrix in an SQL database for > example." Is Ideally that is what I'm looking for... > > If you could point me to an example(s) I'd greatly appreciate it! > > -Neil > > On 3/6/20, 5:05 PM, "Hugh Irvine" <h...@open.com.au> wrote: > > > Hi Neil - > > It depends on how you are going to return the reply attribute(s)? > > It also depends on how the reply attributes are stored, if not directly > listed in the AuthBy LDAP2 clause? > > If the reply attribute(s) is/are static in the configuration file, then > yes multiple AuthBy LDAP2 clauses is the simplest way. > > For more complex scenarios you may need to use a PostSearchHook and some > form of external storage. > > In the general case, each piece of network equipment would be listed with > an Identifier tag to group them, and your configuration file would be based > on Handlers using the Client-Identifier. > > Or alternatively, your PostAuthHook in the AuthBy LDAP2 clause would use > the Client-Identifier together with the LDAP group information to query a > UserGroup/DeviceGroup matrix in an SQL database for example. > > If you can give us a bit more detail we may be able to make better > suggestions. > > regards > > Hugh > > >> On 7 Mar 2020, at 09:41, Johnson, Neil M <neil-john...@uiowa.edu> wrote: >> >> What is the correct way to return a different reply attribute depending on a >> user’s AD member ship in group using AuthBy LDAP2 ? >> >> The idea is to give some users full privileges to network equipment or >> limited privileges based on AD group membership. >> >> <AuthBy LDAP2> >> Identifier uiowa_ad_users >> Host XXXXX.iowa.uiowa.edu >> AuthDN CN=serviceid,OU=ServiceIDs,OU=User Accounts,DC=iowa,DC=uiowa,DC=edu >> AuthPassword SECRET >> Port 389 >> UseTLS >> SSLVerify None >> BaseDN DC=iowa,DC=uiowa,DC=edu >> Scope base >> SearchFilter (objectclass=*) >> ServerChecksPassword >> UsernameAttr sAMAccountName >> </AuthBy> >> >> Do I use multiple AuthBy LDAP2 sections with different search filters in a >> AuthBy GROUP, or is there something I can do with AuthAttrDef ? >> >> Multiple Google searches have been inconclusive and I’m not sure what the >> best solution is according to the manual. >> >> Thanks. >> >> _______________________________________________ >> radiator mailing list >> radiator@lists.open.com.au >> https://lists.open.com.au/mailman/listinfo/radiator > > > -- > > Hugh Irvine > h...@open.com.au > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER, SIM, etc. > Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc. > > > -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, macOS, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@lists.open.com.au https://lists.open.com.au/mailman/listinfo/radiator