2010/12/1 Dan White <[email protected]>: > On 01/12/10 18:27 +0300, c0re wrote: >> >> Can't understand about how to use nssov overlay in my case, but >> understood about dynamic groups overlay and it should fit to my needs. >> >> Also I've got freeradius that authenticate users by looking in ldap. >> Works good. But can't understand about how to restrict users to login >> to some devices. At that moment all users has access to all devices >> via radius. Same requests - this must be controlled via openldap. >> >> May be someone uses freeradius and has already made such restritions >> and can give me some tips. > > Here's one approach: > > Given a huntgroups file of: > > device1 NAS-IP-Address == 192.168.1.1 > cisco1 NAS-IP-Address == 192.168.1.2 > > and corresponding entries in your clients.conf, you can add something like > this in your users file: > > DEFAULT Huntgroup-Name == "device1", ldap-customattr-Ldap-Group == "device1" > Fall-Through = no > > DEFAULT Huntgroup-Name == "device1", Auth-Type := Reject > > DEFAULT Huntgroup-Name == "cisco1", ldap-customattr-Ldap-Group == > "cisco1/admin", User-Profile := "cn=ciscoadmin,ou=radius,dc=example,dc=net" > Fall-Through = no > > DEFAULT Huntgroup-Name == "cisco1", Auth-Type := Reject > > then create /etc/freeradius/modules/ldap-customattr with: > > ldap ldap-customattr { > > server = "ldap://ldap.example.net"; > ldap_debug = 0x0028 > identity = "$dn" > password = $pass > ldap_connections_number = 5 > basedn = "dc=example,dc=net" > filter = "(uid=%u)" > start_tls = no > tls_mode = no > password_attribute = "userPassword" > groupname_attribute = "customattr" > groupmembership_filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" > groupmembership_attribute = "customattr" > > } > > Add 'ldap-customattr' inside the 'instantiate' section within > /etc/freeradius/radiusd.conf. > > Add this to your tree: > > dn: cn=ciscoadmin,ou=radius,dc=example,dc=net > objectClass: radiusObjectProfile > objectClass: radiusprofile > cn: ciscoadmin > radiusReplyItem: cisco-avpair = "shell:priv-lvl=15" > > > Then within your user entries, any user with: > > customattr: device1 > > will be authorized to authenticate to device1, and > > customattr: cisco1/admin > > will authenticate to cisco1, and will also drop directly into enable mode, > assuming the cisco device is configured to do so. > > -- > Dan White >
Thanks for example! But it still requires to edit clients.conf when adding device. And not restricts by groups. As per http://wiki.freeradius.org/Rlm_ldap I can use groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" If there any other variables that can be used? I mean not only Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname or anything else to unique identify remote device. So I can use dynamic groups in OpenLdap and restrict access to device by group membership.
