subject:"ldap groups \+ freeradius"

SUMMARY: ldap groups + freeradius

2007-03-23 Thread Karen R McArthur

Thank you to this list!  I am posting snips from my users,
radiusd.conf and huntgroup files that work.

** huntgroups **
admin   NAS-IP-Address == 192.168.1.1
Session-Timeout = 60,
Idle-Timeout = 30

public  NAS-IP-Address == 192.168.1.2
NAS-IP-Address == 192.168.1.3,
Idle-Timeout = 3600

vpn NAS-IP-Address == 192.168.1.4

** radiusd.conf **
snip
ldap {
server = ldap.example.com
port = 
identity = cn=proxy,dc=example,dc=com
password = itsasecret
basedn = ou=People,dc=example,dc=com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter = ((objectClass=GroupOfNames)(member=%{
Ldap-UserDn}))
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}
snip

** users **
snip
DEFAULT Auth-Type = LDAP
Fall-Through = yes

DEFAULT Huntgroup-Name == public, Ldap-Group == public
Reply-Message = Welcome to the dial-in service,
Fall-Through = no

DEFAULT Huntgroup-Name == admin, Ldap-Group == admin
Reply-Message = Welcome to the admin Termial Server,
Fall-Through = no

DEFAULT Huntgroup-Name == vpn, Ldap-Group == vpn
Reply-Message = Welcome to the VPN Gateway,
Fall-Through = no

DEFAULT Auth-Type := Reject
Reply-Message = You are not authorized to use this service.  If
you believe you have received this message in error, please contact our
Helpdesk.
snip

* user ldap record *
dn: uid=user1,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: public
radiusGroupName: vpn
radiusGroupName: admin

dn: uid=user2,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: public

dn: uid=user3,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: public
radiusGroupName: vpn

-- 
Karen R. McArthur [EMAIL PROTECTED]
Systems Administrator
Information and Library Services, Bates College
Lewiston, Maine 04240 USA
ph:(207)786-8236   fax:(207)786-6057


 
 RedHat EL 4 (managed through RHN, so latest available versions)
 freeradius-1.0.1-3
 openldap-2.2.13-6
 
 I have 4 NAS-IP-Addresses.
 
 My users are split into 6 groups (some are in multiple groups): public,
 faculty, staff, student, vpn, and admin.
 
 I would like the users to get access to the NAS by virtue of being in a
 group.
 
 192.168.1.1
   admin
 192.168.1.2
   vpn
 192.168.1.3  192.168.1.4
   faculty, staff, student  public
 
 What steps do I need to follow to implement this?  I have tried many
 combinations in huntgroups, users, and radiusd.conf.
 
 Any directions or urls to documentation would be appreciated.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE : ldap groups + freeradius

2007-03-13 Thread Thibault Le Meur

Hi,

 I have 4 NAS-IP-Addresses.
 
 My users are split into 6 groups (some are in multiple 
 groups): public, faculty, staff, student, vpn, and admin.
 
 I would like the users to get access to the NAS by virtue of 
 being in a group.
 
 192.168.1.1
   admin
 192.168.1.2
   vpn
 192.168.1.3  192.168.1.4
   faculty, staff, student  public

To make group of NASes use the huntgroup file, for instance:

firstnas NAS-IP-Address == 192.168.1.1
...

lastnasNAS-IP-Address == 192.168.1.3
lastnasNAS-IP-Address == 192.168.1.4

Then define your LDAP server in radiusd.conf

Then use the users file to make your rules such as:
DEFAULT Huntgroup-Name == firstnas, Ldap-Group == admin
Reply-Message = XXX
Fall-Through = no


For more info see:
/usr/share/doc/freeradius/rlm_ldap
/usr/share/doc/freeradius/ldap_howto.txt

HTH,
Thibault


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ldap groups + freeradius

2007-03-12 Thread Karen R McArthur

I know this question has been asked many times before.  I have searched
the archives and I have tried what I've found there, but I can't seem to
get this working.

RedHat EL 4 (managed through RHN, so latest available versions)
freeradius-1.0.1-3
openldap-2.2.13-6

I have 4 NAS-IP-Addresses.

My users are split into 6 groups (some are in multiple groups): public,
faculty, staff, student, vpn, and admin.

I would like the users to get access to the NAS by virtue of being in a
group.

192.168.1.1
admin
192.168.1.2
vpn
192.168.1.3  192.168.1.4
faculty, staff, student  public

What steps do I need to follow to implement this?  I have tried many
combinations in huntgroups, users, and radiusd.conf.

Any directions or urls to documentation would be appreciated.

Thank you.
-- 
Karen R. McArthur [EMAIL PROTECTED]
Systems Administrator
Information and Library Services, Bates College
Lewiston, Maine 04240 USA
ph:(207)786-8236   fax:(207)786-6057

*some ldif output**
dn: uid=user1,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: staff
radiusGroupName: vpn
radiusGroupName: admin

dn: uid=user2,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: student

dn: uid=user3,ou=People,dc=example,dc=com
objectClass: radiusprofile
radiusGroupName: faculty
radiusGroupName: vpn

dn: cn=vpn,ou=ldap-auth,dc=example,dc=com
objectClass: groupOfNames
cn: vpn
member: uid=user1,ou=People,dc=example,dc=com
member: uid=user3,ou=People,dc=example,dc=com

dn: cn=vpn,ou=profiles,ou=radius,ou=services,dc=example,dc=com
objectClass: radiusprofile
cn: vpn
radiusServiceType: Framed-User
radiusFramedProtocol: PPP
radiusFramedIPNetmask: 255.255.255.0
radiusFramedRouting: None

*** radiusd.conf 
ldap {
server = ldap.example.com
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
basedn = ou=People,dc=example,dc=com
identity = cn=lnxproxy,ou=LDAPauth,dc=example,dc=com
password = itsasecret
start_tls = no
tls_cacertfile = /usr/share/ssl/certs/ca-cert.pem
tls_cacertdir = /usr/share/ssl/certs/
tls_certfile = /usr/share/ssl/certs/cert.pem
tls_keyfile = /usr/share/ssl/certs/key.pem
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
groupname_attribute = cn
groupmembership_filter = ((objectClass=GroupOfNames)(member=%{
Ldap-UserDn}))
groupmembership_attribute = radiusGroupName
timeout = 4
timelimit = 3
net_timeout = 1
}

* users *
DEFAULT Auth-Type = LDAP Fall-Through = 1
DEFAULT Ldap-Group == cn=vpn,ou=ldap-auth,dc=example,dc=com,
Fall-Through = no

** huntgroups **
admin NAS-IP-Address == 192.168.1.1
Session-Timeout = 60,
Idle-Timeout = 30,
Ldap-Group = admin

public NAS-IP-Address == 192.168.1.3
NAS-IP-Address == 192.168.1.4,
Idle-Timeout = 3600,
Ldap-Group = public,
Ldap-Group = faculty,
Ldap-Group = staff,
Ldap-Group = student

vpn NAS-IP-Address == 192.168.1.2
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

SUMMARY: ldap groups + freeradius

RE : ldap groups + freeradius

ldap groups + freeradius

3 matches

Site Navigation

Mail list logo

Footer information