[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Want interesting restrictions to ldap auth on different servers to different users

To: openldap-technical@openldap.org
Subject: Re: Want interesting restrictions to ldap auth on different servers to different users
From: c0re <nr1c0re@gmail.com>
Date: Mon, 6 Dec 2010 17:50:42 +0300
Cc: Dan White <dwhite@olp.net>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=rIz69vKV832uHp9/n2vTPuKMZ3r64qqBjj2evncGNTg=; b=IguEOMS9kM/RyP3Yi5dXMhSQV+qsrKbvlvNNjaD+H7shaq+aKbmaBEJm3QJXxM30gq 7jmaiFiWyLyI59/RY6y697Wx7zyWqVm2/VOTg5xyVEmTZR9pIvnnD405KZ9yGtUvrnrm ERNK+o0+F+W82tfEPOb9eL3lytA0eST1yoJb0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=DJr22MOjwFg1V9Eqxn2WDkZ+RmBUB6dfWudcdlBOdgwKnAPFm1roeEAxk0FuJQiiNk kWOHFzyQasexrzjJJsVoZZkMzgt+pz6Rw8/Gkyu6i1t2v5skCZS4DC47p9zeLnkZcE2/ EW7AcPfcqesyI0LrguPtgpz+eiSU7fWzvNGnQ=
In-reply-to: <20101206143951.GA4355@dan.olp.net>
References: <AANLkTin9QFwD4zPhB1sfUSpjZjTvK0=SRZUSEgGCXdY5@mail.gmail.com> <alpine.SOC.2.00.1011181054390.17810@toolbox.rutgers.edu> <AANLkTik3__grNixCFZNZmq+AxJjcFGxTp8z82N8sZj6k@mail.gmail.com> <AANLkTi=-A5XP_u8AjJBk-PvogpM-1xnqqPur0cvo7Smm@mail.gmail.com> <AANLkTi=wiwP=wF_qN5JnFX97cWOU4uWSHDAbJB6FZ0ek@mail.gmail.com> <4CF39214.8090301@symas.com> <AANLkTimDOvtzd1qjyz-mv+LkrC4DYgotX04LUB6MwDL7@mail.gmail.com> <20101201160313.GC4239@dan.olp.net> <AANLkTinBbj+DtS-MqvUv8nSxbnz-vtfJ_8FkZNX+rpTZ@mail.gmail.com> <20101206143951.GA4355@dan.olp.net>

2010/12/6 Dan White <dwhite@olp.net>:
> On 06/12/10 15:34 +0300, c0re wrote:
>>
>> 2010/12/1 Dan White <dwhite@olp.net>:
>> Thanks for example!
>>
>> But it still requires to edit clients.conf when adding device. And not
>> restricts by groups.
>
> That's true, unless you have some of your clients coming from behind
> one NAT address. I'm not aware of any way around that.
>
>> As per http://wiki.freeradius.org/Rlm_ldap I can use
>>
>> groupmembership_filter =
>>
>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>>
>> If there any other variables that can be used? I mean not only
>> Ldap-userDn, but something like Ldap-clientIP, or Ldap-clientHostname
>> or anything else to unique identify remote device. So I can use
>> dynamic groups in OpenLdap and restrict access to device by group
>> membership.
>
> As for the client IP, or other identifying information of the
> authenticating device, I've always tried to use huntgroups to identify the
> device rather than trying to perform a match in the LDAP filter, but that
> approach might work just fine.
>
> Keep in mind that different types of devices will send more or less
> information in its RADIUS request. Running freeradius in '-X' mode, and
> sending a sample request will show you the information that you might be
> able to match on.
>
> --
> Dan White
>

Thanks for tip about -X mode, will do it if get troubles.

Found very interesting message in mailists here:
http://lists.freeradius.org/pipermail/freeradius-users/2010-October/msg00058.html
Even more interesting - storing NAS secret in ldap!

And using variable Packet-Src-IP-Address to differ source devices.
Will try to get it work at this week.

References:
- Re: Want interesting restrictions to ldap auth on different servers to different users
  - From: c0re <nr1c0re@gmail.com>
- Re: Want interesting restrictions to ldap auth on different servers to different users
  - From: c0re <nr1c0re@gmail.com>

Prev by Date: Re: slapd 2.4.23 SASL/GSSAPI problem
Next by Date: "slapadd: corrupted double-linked list"
Index(es):
- Chronological
- Thread