SUMMARY: ldap groups + freeradius
Thank you to this list! I am posting snips from my users, radiusd.conf and huntgroup files that work. ** huntgroups ** admin NAS-IP-Address == 192.168.1.1 Session-Timeout = 60, Idle-Timeout = 30 public NAS-IP-Address == 192.168.1.2 NAS-IP-Address == 192.168.1.3, Idle-Timeout = 3600 vpn NAS-IP-Address == 192.168.1.4 ** radiusd.conf ** snip ldap { server = ldap.example.com port = identity = cn=proxy,dc=example,dc=com password = itsasecret basedn = ou=People,dc=example,dc=com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = ((objectClass=GroupOfNames)(member=%{ Ldap-UserDn})) groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } snip ** users ** snip DEFAULT Auth-Type = LDAP Fall-Through = yes DEFAULT Huntgroup-Name == public, Ldap-Group == public Reply-Message = Welcome to the dial-in service, Fall-Through = no DEFAULT Huntgroup-Name == admin, Ldap-Group == admin Reply-Message = Welcome to the admin Termial Server, Fall-Through = no DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn Reply-Message = Welcome to the VPN Gateway, Fall-Through = no DEFAULT Auth-Type := Reject Reply-Message = You are not authorized to use this service. If you believe you have received this message in error, please contact our Helpdesk. snip * user ldap record * dn: uid=user1,ou=People,dc=example,dc=com objectClass: radiusprofile radiusGroupName: public radiusGroupName: vpn radiusGroupName: admin dn: uid=user2,ou=People,dc=example,dc=com objectClass: radiusprofile radiusGroupName: public dn: uid=user3,ou=People,dc=example,dc=com objectClass: radiusprofile radiusGroupName: public radiusGroupName: vpn -- Karen R. McArthur [EMAIL PROTECTED] Systems Administrator Information and Library Services, Bates College Lewiston, Maine 04240 USA ph:(207)786-8236 fax:(207)786-6057 RedHat EL 4 (managed through RHN, so latest available versions) freeradius-1.0.1-3 openldap-2.2.13-6 I have 4 NAS-IP-Addresses. My users are split into 6 groups (some are in multiple groups): public, faculty, staff, student, vpn, and admin. I would like the users to get access to the NAS by virtue of being in a group. 192.168.1.1 admin 192.168.1.2 vpn 192.168.1.3 192.168.1.4 faculty, staff, student public What steps do I need to follow to implement this? I have tried many combinations in huntgroups, users, and radiusd.conf. Any directions or urls to documentation would be appreciated. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : ldap groups + freeradius
Hi, I have 4 NAS-IP-Addresses. My users are split into 6 groups (some are in multiple groups): public, faculty, staff, student, vpn, and admin. I would like the users to get access to the NAS by virtue of being in a group. 192.168.1.1 admin 192.168.1.2 vpn 192.168.1.3 192.168.1.4 faculty, staff, student public To make group of NASes use the huntgroup file, for instance: firstnas NAS-IP-Address == 192.168.1.1 ... lastnasNAS-IP-Address == 192.168.1.3 lastnasNAS-IP-Address == 192.168.1.4 Then define your LDAP server in radiusd.conf Then use the users file to make your rules such as: DEFAULT Huntgroup-Name == firstnas, Ldap-Group == admin Reply-Message = XXX Fall-Through = no For more info see: /usr/share/doc/freeradius/rlm_ldap /usr/share/doc/freeradius/ldap_howto.txt HTH, Thibault - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap groups + freeradius
I know this question has been asked many times before. I have searched the archives and I have tried what I've found there, but I can't seem to get this working. RedHat EL 4 (managed through RHN, so latest available versions) freeradius-1.0.1-3 openldap-2.2.13-6 I have 4 NAS-IP-Addresses. My users are split into 6 groups (some are in multiple groups): public, faculty, staff, student, vpn, and admin. I would like the users to get access to the NAS by virtue of being in a group. 192.168.1.1 admin 192.168.1.2 vpn 192.168.1.3 192.168.1.4 faculty, staff, student public What steps do I need to follow to implement this? I have tried many combinations in huntgroups, users, and radiusd.conf. Any directions or urls to documentation would be appreciated. Thank you. -- Karen R. McArthur [EMAIL PROTECTED] Systems Administrator Information and Library Services, Bates College Lewiston, Maine 04240 USA ph:(207)786-8236 fax:(207)786-6057 *some ldif output** dn: uid=user1,ou=People,dc=example,dc=com objectClass: radiusprofile radiusGroupName: staff radiusGroupName: vpn radiusGroupName: admin dn: uid=user2,ou=People,dc=example,dc=com objectClass: radiusprofile radiusGroupName: student dn: uid=user3,ou=People,dc=example,dc=com objectClass: radiusprofile radiusGroupName: faculty radiusGroupName: vpn dn: cn=vpn,ou=ldap-auth,dc=example,dc=com objectClass: groupOfNames cn: vpn member: uid=user1,ou=People,dc=example,dc=com member: uid=user3,ou=People,dc=example,dc=com dn: cn=vpn,ou=profiles,ou=radius,ou=services,dc=example,dc=com objectClass: radiusprofile cn: vpn radiusServiceType: Framed-User radiusFramedProtocol: PPP radiusFramedIPNetmask: 255.255.255.0 radiusFramedRouting: None *** radiusd.conf ldap { server = ldap.example.com filter = (uid=%{Stripped-User-Name:-%{User-Name}}) basedn = ou=People,dc=example,dc=com identity = cn=lnxproxy,ou=LDAPauth,dc=example,dc=com password = itsasecret start_tls = no tls_cacertfile = /usr/share/ssl/certs/ca-cert.pem tls_cacertdir = /usr/share/ssl/certs/ tls_certfile = /usr/share/ssl/certs/cert.pem tls_keyfile = /usr/share/ssl/certs/key.pem dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = ((objectClass=GroupOfNames)(member=%{ Ldap-UserDn})) groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 } * users * DEFAULT Auth-Type = LDAP Fall-Through = 1 DEFAULT Ldap-Group == cn=vpn,ou=ldap-auth,dc=example,dc=com, Fall-Through = no ** huntgroups ** admin NAS-IP-Address == 192.168.1.1 Session-Timeout = 60, Idle-Timeout = 30, Ldap-Group = admin public NAS-IP-Address == 192.168.1.3 NAS-IP-Address == 192.168.1.4, Idle-Timeout = 3600, Ldap-Group = public, Ldap-Group = faculty, Ldap-Group = staff, Ldap-Group = student vpn NAS-IP-Address == 192.168.1.2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html